Kerberos AES-256加密不起作用 [英] Kerberos aes-256 encryption not working
问题描述
服务器是RHEL7,Kerberos是AD(Windows).我只是KDC的客户.
Server is a RHEL7, Kerberos is AD (Windows). I'm only client of KDC.
Arcfour-hmac可以正常工作,但是当我将加密类型更改为aes-256并设置新的密钥表时,kinit仍然可以工作,但kvno不能.即使用户似乎在klist中拥有有效的票证,他也无法启动服务.
Arcfour-hmac works fine but when I change encryption type to aes-256 and set up a new keytab, kinit still works, but not kvno. And even if the user seems to have a valid ticket (in klist) he is not able to start services anymore.
我无权访问Kerberos AD,但似乎已正确配置为使用aes-256,因为最终用户(在Windows计算机上)已经请求了这种加密类型的票证.
I don't have access to the Kerberos AD, but it seems properly configured to use aes-256, because end users (on Windows computers) already request tickets in this encryption type.
我的krb5.conf:
My krb5.conf :
[libdefaults]
default_realm = TOTO.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tkt_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
[realms]
TOTO.NET = {
kdc = kdc1.toto.net
kdc = kdc2.toto.net
admin_server = kdc1.toto.net
}
[domain_realm]
.toto.net = TOTO.NET
toto.net = TOTO.NET
这是我尝试用kvno购票时遇到的错误:
And here the errors I got when I try to acquire a ticket with kvno :
[2477332] 1493147723.961912: Getting credentials myuser@TOTO.NET -> nn/myserver@TOTO.NET using ccache FILE:/tmp/krb5cc_0
[2477332] 1493147723.962055: Retrieving myuser@TOTO.NET -> nn/myserver@TOTO.NET from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[2477332] 1493147723.962257: Retrieving myuser@TOTO.NET -> krbtgt/TOTO.NET@TOTO.NET from FILE:/tmp/krb5cc_0 with result: 0/Success
[2477332] 1493147723.962267: Starting with TGT for client realm: myuser@TOTO.NET -> krbtgt/TOTO.NET@TOTO.NET
[2477332] 1493147723.962274: Requesting tickets for nn/myserver@TOTO.NET, referrals on
[2477332] 1493147723.962309: Generated subkey for TGS request: aes256-cts/17DF
[2477332] 1493147723.962363: etypes requested in TGS request: aes256-cts, aes128-cts
[2477332] 1493147723.962504: Encoding request body and padata into FAST request
[2477332] 1493147723.962575: Sending request (1716 bytes) to TOTO.NET
[2477332] 1493147723.962725: Resolving hostname kdc1.TOTO.NET
[2477332] 1493147723.963054: Initiating TCP connection to stream ip_of_kdc1:88
[2477332] 1493147723.964205: Sending TCP request to stream ip_of_kdc1:88
[2477332] 1493147724.3751: Received answer (329 bytes) from stream ip_of_kdc1:88
[2477332] 1493147724.3765: Terminating TCP connection to stream ip_of_kdc1:88
[2477332] 1493147724.3846: Response was not from master KDC
[2477332] 1493147724.3879: Decoding FAST response
[2477332] 1493147724.3965: TGS request result: -1765328370/KDC has no support for encryption type
klist -ket mykeytab
klist -ket mykeytab
Keytab name: FILE:nn.service.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 01/01/1970 01:00:00 nn/myserver01@TOTO.NET (aes256-cts-hmac-sha1-96)
1 03/22/2017 16:34:55 nn/myserver02@TOTO.NET (aes256-cts-hmac-sha1-96)
感谢您的帮助
推荐答案
请您的AD管理员在与密钥表关联的AD帐户上启用对AES-256加密类型的支持.要找到该帐户,请运行以下命令:
Ask your AD administrator to enable support for AES-256 encryption types on the AD account associated with the keytab. To find that account, run this command:
setspn -Q nn/myserver01@TOTO.NET
输出将告诉您帐户名称.它将以CN = xxx开头,其中"xxx"是AD帐户的名称.要在AD帐户上启用对AES-256加密类型的支持,请告知您的AD管理员必须选中此帐户支持Kerberos AES 256位加密"复选框,并且该复选框始终位于帐户"选项卡的底部.
the output will tell you the name of the account. It will start with CN=xxx, where "xxx" is the name of the AD account. To enable support for AES-256 encryption types on the AD account, tell your AD admin that the checkbox "This account supports Kerberos AES 256 bit encryption" must be checked, and that is found under Account tab, all the way at the bottom.
这篇关于Kerberos AES-256加密不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
