web-dev-qa-db-ja.com

Microsoft Active Directoryke​​rberosが不明なプリンシパルを返します

Microsoft ActiveDirectoryがKerberosサーバーとして機能しているkbr5pnfsマウントのホストを認証しようとしています。

Sudo kinit -k -t /etc/krb5.keytab Host/[email protected]
kinit: Client 'Host/[email protected]' not found in Kerberos database while getting initial credentials

ただし、Active Directoryでは、次のコマンドが機能します

PS C:\Program Files\vmware\VMware OVF Tool> setspn -l ROBODAROBODA
Registered ServicePrincipalNames for CN=ROBODAROBODA,CN=Computers,DC=example,DC=com:
        Host/[email protected]
        Host/robodaroboda.example.com
        Host/ROBODAROBODA

パケットトレースでは、不明なプリンシパルエラーが観察されます。リクエスト:

    Kerberos AS-REQ
        Record Mark: 202 bytes
            0... .... .... .... .... .... .... .... = Reserved: Not set
            .000 0000 0000 0000 0000 0000 1100 1010 = Record Length: 202
        Pvno: 5
        MSG Type: AS-REQ (10)
        padata: Unknown:149
            Type: Unknown (149)
                Value: <MISSING>
        KDC_REQ_BODY
            Padding: 0
            KDCOptions: 00000010 (Renewable OK)
                .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
                ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
                ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
                .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
                .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
                .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
                .... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
                .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
                .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
                .... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
                .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
                .... .... .... .... .... .... ...1 .... = Renewable OK: We accept RENEWED tickets
                .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt using the skey
                .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
                .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
 Client Name (Principal): Host/ROBODAROBODA
            Name-type: Principal (1)
            Name: Host
            Name: ROBODAROBODA
            Server Name (Service and Instance): krbtgt/EXAMPLE.COM
                Name-type: Service and Instance (2)
                Name: krbtgt
                Name: EXAMPLE.COM
            till: 2020-04-05 18:37:06 (UTC)
            Nonce: 407713677
            Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des-cbc-md5-nt 19 des3-cbc-sha1 rc4-hmac 25 26
                Encryption type: aes256-cts-hmac-sha1-96 (18)
                Encryption type: aes128-cts-hmac-sha1-96 (17)
                Encryption type: des-cbc-md5-nt (20)
                Encryption type: Unknown (19)
                Encryption type: des3-cbc-sha1 (16)
                Encryption type: rc4-hmac (23)
                Encryption type: Unknown (25)
                Encryption type: Unknown (26)

応答:

Kerberos KRB-ERROR
    Record Mark: 112 bytes
        0... .... .... .... .... .... .... .... = Reserved: Not set
        .000 0000 0000 0000 0000 0000 0111 0000 = Record Length: 112
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    stime: 2020-04-04 18:37:06 (UTC)
    susec: 931508
    error_code: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (6)
    Realm: EXAMPLE.COM
    Server Name (Service and Instance): krbtgt/EXAMPLE.COM
        Name-type: Service and Instance (2)
        Name: krbtgt
        Name: EXAMPLE.COM

不明なプリンシパルエラーが表示される理由を誰かが理解するのを手伝ってくれませんか?

1
suresh

マシンアカウントのUserPrincipalName属性にHost/[email protected]を追加した後の問題。 kinitは機能しています。

0
suresh