LINUX.ORG.RU
ФорумGeneral

freeipa+kerberos получение билета

 ,


0

1

Здравствуйте.Есть проблема получения билета kerberos администратора домена admin@MY.DOM через файл keytab.

Сначала я добавил ключ для admin в keytab c помощью ktutil выполнив 

root@servfripa:~# ktutil
ktutil:  rkt /etc/krb5.keytab
ktutil:  addent -password -p admin@MY.DOM -k 1 -e aes256-cts
после этого ввел по запросу пароль затем я сохранил его в файле /etc/krb5.keytab 
root@servfripa:~# ktutil 
ktutil:  rkt /etc/krb5.keytab 
ktutil:  l 
slot KVNO Principal 
---- ---- --------------------------------------------------------------------- 
  1    2             host/servfripa.my.dom@MY.DOM 
  2    1                             admin@MY.DOM

ktutil:  rkt /etc/krb5.keytab  
ktutil:  l -e 
slot KVNO Principal 
---- ---- --------------------------------------------------------------------- 
  1    2             host/servfripa.my.dom@MY.DOM (aes256-cts-hmac-sha1-96)  
  2    1                             admin@MY.DOM (aes256-cts-hmac-sha1-96)  
ktutil:
Проблема в следующем. что когда я делаю 
 kinit -f admin@MY.DOM
и ввожу пароль вручную я получаю билет Но если я делаю 
kinit -f admin@MY.DOM -k
то получаю ошибку kinit: Preauthentication failed while getting initial credentials не могу понять в чем делу так как когда заводил запись в keytab я ввел правильный пароль тк он очень простой для теста вот подробный вывод 
root@servfripa:~# KRB5_TRACE="/dev/stdout" kinit -f admin@MY.DOM -k 
[2350] 1626851868.893962: Getting initial credentials for admin@MY.DOM 
[2350] 1626851868.903866: Looked up etypes in keytab: aes256-cts 
[2350] 1626851868.904208: Sending request (159 bytes) to MY.DOM 
[2350] 1626851868.904791: Initiating TCP connection to stream 192.168.0.20:88 
[2350] 1626851868.905166: Sending TCP request to stream 192.168.0.20:88 
[2350] 1626851868.911604: Received answer (284 bytes) from stream 192.168.0.20:88 
[2350] 1626851868.911656: Terminating TCP connection to stream 192.168.0.20:88 
[2350] 1626851868.911899: Response was from master KDC 
[2350] 1626851868.912014: Received error from KDC: -1765328359/Additional pre-authentication required 
[2350] 1626851868.912099: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133 
[2350] 1626851868.912114: Selected etype info: etype aes256-cts, salt "ZuWWT&U'8N#Hh\F<", params "" 
[2350] 1626851868.912157: Received cookie: MIT 
[2350] 1626851868.912183: PKINIT client has no configured identity; giving up 
[2350] 1626851868.912255: Preauth module pkinit (147) (info) returned: 0/Success 
[2350] 1626851868.912298: PKINIT client has no configured identity; giving up 
[2350] 1626851868.912313: Preauth module pkinit (16) (real) returned: 22/Недопустимый аргумент 
[2350] 1626851868.912326: PKINIT client has no configured identity; giving up 
[2350] 1626851868.912334: Preauth module pkinit (14) (real) returned: 22/Недопустимый аргумент 
[2350] 1626851868.912347: PKINIT client has no configured identity; giving up 
[2350] 1626851868.912356: Preauth module pkinit (14) (real) returned: 22/Недопустимый аргумент 
[2350] 1626851868.912434: Retrieving admin@MY.DOM from FILE:/etc/krb5.keytab (vno 0, enctype aes256-cts) with result: 0/Succ
ess 
[2350] 1626851868.912489: AS key obtained for encrypted timestamp: aes256-cts/1735 
[2350] 1626851868.912588: Encrypted timestamp (for 1626851868.911708): plain 301AA011180F32303231303732313037313734385AA1050
2030DE95C, encrypted 61DB80C38CB72434C69FD73CD4CC642F16B20299A928E67E3FBD8DAEEC449304F08FE5CEF9AA5E3129A18E141B678192E341086
C5A722FEC 
[2350] 1626851868.912607: Preauth module encrypted_timestamp (2) (real) returned: 0/Success 
[2350] 1626851868.912614: Produced preauth for next request: 133, 2 
[2350] 1626851868.912632: Sending request (252 bytes) to MY.DOM 
[2350] 1626851868.912736: Initiating TCP connection to stream 192.168.0.20:88 
[2350] 1626851868.912926: Sending TCP request to stream 192.168.0.20:88 
[2350] 1626851868.922303: Received answer (284 bytes) from stream 192.168.0.20:88 
[2350] 1626851868.922353: Terminating TCP connection to stream 192.168.0.20:88 
[2350] 1626851868.922463: Response was from master KDC 
[2350] 1626851868.922635: Received error from KDC: -1765328360/Preauthentication failed 
[2350] 1626851868.922667: Preauth tryagain input types: 16, 14, 14, 136, 19, 147, 2, 133 
kinit: Preauthentication failed while getting initial credentials 
root@servfripa:~#
что может быть не так?



Последнее исправление: kold2015 (всего исправлений: 1)

Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.