服务器 Gind.cn
  1. 服务器 Gind.cn
  3. LDAP + KERBEROS服务器configuration
Intereting Posts
如何禁用OSX启动声音? 公司合并scheme 我怎样才能将两个命令合并到压缩和解压缩的日志文件中? 识别sshlogin的神秘输出 Docker Compose版本2“卷”语法应该看起来如何? 为cyrus用户启用shell访问 Xenserver:在虚拟机构build期间传递参数 如何防止意外启动的驱动器曾经是一个可启动的驱动器? 如何从AWS实例中获取VPC CIDR范围? 在Apache升级后Remote_Addr不起作用 如何将以.PHP结尾的特定urlredirect到Nginx中的另一个url? VMWare ESXI vNetworking – 由多个多个第2层网桥主机桥接的vSwitch HP Insight Manager安装和使用案例? 为什么Puppet只需要一个包? 无法将数据包路由到AWS VPC中的VPN隧道

LDAP + KERBEROS服务器configuration

我正在按照本指南设置Kerberos服务器。 Kerberos服务器的系统configuration如下,有人可以帮我解决问题,任何帮助将不胜感激。

这是我看到的问题: 

root@openldap ~# kadmin -p admin Authenticating as principal admin with password. kadmin: Cannot resolve network address for admin server in requested realm while initializing kadmin interface

…和相关的系统信息/configuration: 

 root@openldap ~# uname -a Linux openldap 3.2.0-4-amd64 #1 SMP Debian 3.2.68-1+deb7u3 x86_64 GNU/Linux root@openldap ~# cat /etc/hosts 127.0.0.1 localhost 10.5.126.24:464 krb.ixsystems.com #Required for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts root@openldap ~# cat /etc/krb5.conf [libdefaults] default_realm = IXSYSTEMS.COM forwardable = true proxiable = true [realms] IXSYSTEMS.COM = { kdc = kdc1.ixsystems.com admin_server = krb.ixsystems.com } [domain_realm] .ixsystems.com = IXSYSTEMS.COM ixsystems.com = IXSYSTEMS.COM [logging] kdc = FILE:/var/log/krb5/kdc.log admin_server = FILE:/var/log/krb5/kadmin.log default = FILE:/var/log/krb5/kadmin.log # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] IXSYSTEMS.COM = { kdc = kdc1.ixsystems.com admin_server = krb.ixsystems.com } ATHENA.MIT.EDU = { kdc = kerberos.mit.edu:88 kdc = kerberos-1.mit.edu:88 kdc = kerberos-2.mit.edu:88 admin_server = kerberos.mit.edu default_domain = mit.edu } MEDIA-LAB.MIT.EDU = { kdc = kerberos.media.mit.edu admin_server = kerberos.media.mit.edu } ZONE.MIT.EDU = { kdc = casio.mit.edu kdc = seiko.mit.edu admin_server = casio.mit.edu } MOOF.MIT.EDU = { kdc = three-headed-dogcow.mit.edu:88 kdc = three-headed-dogcow-1.mit.edu:88 admin_server = three-headed-dogcow.mit.edu } CSAIL.MIT.EDU = { kdc = kerberos-1.csail.mit.edu kdc = kerberos-2.csail.mit.edu admin_server = kerberos.csail.mit.edu default_domain = csail.mit.edu krb524_server = krb524.csail.mit.edu } IHTFP.ORG = { kdc = kerberos.ihtfp.org admin_server = kerberos.ihtfp.org } GNU.ORG = { kdc = kerberos.gnu.org kdc = kerberos-2.gnu.org kdc = kerberos-3.gnu.org admin_server = kerberos.gnu.org } 1TS.ORG = { kdc = kerberos.1ts.org admin_server = kerberos.1ts.org } GRATUITOUS.ORG = { kdc = kerberos.gratuitous.org admin_server = kerberos.gratuitous.org } DOOMCOM.ORG = { kdc = kerberos.doomcom.org admin_server = kerberos.doomcom.org } ANDREW.CMU.EDU = { kdc = kerberos.andrew.cmu.edu kdc = kerberos2.andrew.cmu.edu kdc = kerberos3.andrew.cmu.edu admin_server = kerberos.andrew.cmu.edu default_domain = andrew.cmu.edu } CS.CMU.EDU = { kdc = kerberos.cs.cmu.edu kdc = kerberos-2.srv.cs.cmu.edu admin_server = kerberos.cs.cmu.edu } DEMENTIA.ORG = { kdc = kerberos.dementix.org kdc = kerberos2.dementix.org admin_server = kerberos.dementix.org } stanford.edu = { kdc = krb5auth1.stanford.edu kdc = krb5auth2.stanford.edu kdc = krb5auth3.stanford.edu master_kdc = krb5auth1.stanford.edu admin_server = krb5-admin.stanford.edu default_domain = stanford.edu } UTORONTO.CA = { kdc = kerberos1.utoronto.ca kdc = kerberos2.utoronto.ca kdc = kerberos3.utoronto.ca admin_server = kerberos1.utoronto.ca default_domain = utoronto.ca } [domain_realm] .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU .media.mit.edu = MEDIA-LAB.MIT.EDU media.mit.edu = MEDIA-LAB.MIT.EDU .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU .whoi.edu = ATHENA.MIT.EDU whoi.edu = ATHENA.MIT.EDU .stanford.edu = stanford.edu .slac.stanford.edu = SLAC.STANFORD.EDU .toronto.edu = UTORONTO.CA .utoronto.ca = UTORONTO.CA [login] krb4_convert = true krb4_get_tickets = false root@openldap ~# netstat -nlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:749 0.0.0.0:* LISTEN 2061/kadmind tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2104/lighttpd tcp 0 0 0.0.0.0:464 0.0.0.0:* LISTEN 2061/kadmind tcp 0 0 0.0.0.0:754 0.0.0.0:* LISTEN 2299/xinetd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2266/sshd tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2104/lighttpd tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 2191/slapd tcp 0 0 0.0.0.0:12320 0.0.0.0:* LISTEN 2176/shellinaboxd tcp 0 0 0.0.0.0:12321 0.0.0.0:* LISTEN 2363/perl tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2191/slapd tcp6 0 0 :::749 :::* LISTEN 2061/kadmind tcp6 0 0 :::80 :::* LISTEN 2104/lighttpd tcp6 0 0 :::464 :::* LISTEN 2061/kadmind tcp6 0 0 :::22 :::* LISTEN 2266/sshd tcp6 0 0 :::636 :::* LISTEN 2191/slapd tcp6 0 0 :::389 :::* LISTEN 2191/slapd udp 0 0 0.0.0.0:464 0.0.0.0:* 2061/kadmind udp 0 0 0.0.0.0:750 0.0.0.0:* 2809/krb5kdc udp 0 0 0.0.0.0:750 0.0.0.0:* 2035/krb5kdc udp 0 0 0.0.0.0:12321 0.0.0.0:* 2363/perl udp 0 0 0.0.0.0:88 0.0.0.0:* 2809/krb5kdc udp 0 0 0.0.0.0:88 0.0.0.0:* 2035/krb5kdc udp 0 0 10.5.126.24:123 0.0.0.0:* 2133/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 2133/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 2133/ntpd udp6 0 0 fe80::20c:29ff:fe03:750 :::* 2809/krb5kdc udp6 0 0 fe80::20c:29ff:fe03::88 :::* 2809/krb5kdc udp6 0 0 fe80::20c:29ff:fe03:123 :::* 2133/ntpd udp6 0 0 ::1:123 :::* 2133/ntpd udp6 0 0 :::123 :::* 2133/ntpd Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 5645 2191/slapd /var/run/slapd/ldapi unix 2 [ ACC ] STREAM LISTENING 5431 2009/acpid /var/run/acpid.socket unix 2 [ ACC ] STREAM LISTENING 5535 2106/php-cgi /var/run/lighttpd/php.socket-0 unix 2 [ ACC ] SEQPACKET LISTENING 3311 324/udevd /run/udev/control

文本

无法parsingpipe理服务器的networking地址

build议您的DNS没有完全configuration。

您的networking上的DNS条目显示什么? 即,您在内部networking上configuration了哪些地址(kdc1.ixsystems.com)和(krb.ixsystems.com)? (你是在这台机器上运行的域名服务器或另一个)?

例如,谷歌的DNS显示在64.71.187.9 ixsystems.com

而且,[realms]和[domain_realm]的第二个标题在您的configuration中是不必要的。

在我看来,你的kadmin工具找不到它的pipe理服务器。 你得到的DNS消息很可能是因为kadmin试图通过dns服务loggingfind它的pipe理服务器,目前没有使用 

  _kerberos-adm._tcp This should list port 749 on your master KDC. Support for it is not complete at this time, but it will eventually be used by the kadmin program and related utilities. For now, you will also need the admin_server entry in krb5.conf.

因为你在你的krb5.conf中configuration了一个pipe理服务器,这可能是你的dns的一个问题。

你的/ etc / hosts包含 

 10.5.126.24:464 krb.ixsystems.com

该端口符号是afaik错误,即使不是,您需要端口749(tcp)为kadmin。

所以删除:464,再试一次,

我强烈build议与kerberos一起使用DNS服务器,你会遇到更多的麻烦,使主机文件保持同步,比设置绑定或dnsmasq或pdns …