Microsoft ActiveDirectoryがKerberosサーバーとして機能しているkbr5pnfsマウントのホストを認証しようとしています。
Sudo kinit -k -t /etc/krb5.keytab Host/[email protected]
kinit: Client 'Host/[email protected]' not found in Kerberos database while getting initial credentials
ただし、Active Directoryでは、次のコマンドが機能します
PS C:\Program Files\vmware\VMware OVF Tool> setspn -l ROBODAROBODA
Registered ServicePrincipalNames for CN=ROBODAROBODA,CN=Computers,DC=example,DC=com:
Host/[email protected]
Host/robodaroboda.example.com
Host/ROBODAROBODA
パケットトレースでは、不明なプリンシパルエラーが観察されます。リクエスト:
Kerberos AS-REQ
Record Mark: 202 bytes
0... .... .... .... .... .... .... .... = Reserved: Not set
.000 0000 0000 0000 0000 0000 1100 1010 = Record Length: 202
Pvno: 5
MSG Type: AS-REQ (10)
padata: Unknown:149
Type: Unknown (149)
Value: <MISSING>
KDC_REQ_BODY
Padding: 0
KDCOptions: 00000010 (Renewable OK)
.0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
.... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
.... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
.... .... ...0 .... .... .... .... .... = Opt HW Auth: False
.... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
.... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
.... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
.... .... .... .... .... .... ...1 .... = Renewable OK: We accept RENEWED tickets
.... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt using the skey
.... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
.... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
Client Name (Principal): Host/ROBODAROBODA
Name-type: Principal (1)
Name: Host
Name: ROBODAROBODA
Server Name (Service and Instance): krbtgt/EXAMPLE.COM
Name-type: Service and Instance (2)
Name: krbtgt
Name: EXAMPLE.COM
till: 2020-04-05 18:37:06 (UTC)
Nonce: 407713677
Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des-cbc-md5-nt 19 des3-cbc-sha1 rc4-hmac 25 26
Encryption type: aes256-cts-hmac-sha1-96 (18)
Encryption type: aes128-cts-hmac-sha1-96 (17)
Encryption type: des-cbc-md5-nt (20)
Encryption type: Unknown (19)
Encryption type: des3-cbc-sha1 (16)
Encryption type: rc4-hmac (23)
Encryption type: Unknown (25)
Encryption type: Unknown (26)
応答:
Kerberos KRB-ERROR
Record Mark: 112 bytes
0... .... .... .... .... .... .... .... = Reserved: Not set
.000 0000 0000 0000 0000 0000 0111 0000 = Record Length: 112
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2020-04-04 18:37:06 (UTC)
susec: 931508
error_code: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (6)
Realm: EXAMPLE.COM
Server Name (Service and Instance): krbtgt/EXAMPLE.COM
Name-type: Service and Instance (2)
Name: krbtgt
Name: EXAMPLE.COM
不明なプリンシパルエラーが表示される理由を誰かが理解するのを手伝ってくれませんか?
マシンアカウントのUserPrincipalName属性にHost/[email protected]を追加した後の問題。 kinitは機能しています。