Проблема аутентификации Kerberos - PullRequest
0 голосов
/ 22 марта 2019

Пожалуйста, помогите понять, что я делаю не так.

Попытка подключения через kerberos:

kadmin -p root/admin
Password for root/admin@KRB5.COM: 
kadmin: Incorrect password while initializing kadmin interface

в логах:

Mar 22 13:26:35 server1.com krb5kdc[4015](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) ::1: SERVER_NOT_FOUND: root/admin@KRB5.COM for kadmin/localhost@KRB5.COM, Server not found in Kerberos database
Mar 22 13:26:55 server1.com krb5kdc[4015](info): AS_REQ (8 etypes {18 17 20 19 16 23 25 26}) ::1: ISSUE: authtime 1553275615, etypes {rep=18 tkt=18 ses=18}, root/admin@KRB5.COM for kadmin/admin@KRB5.COM

Но почему?Я создал этот хост и пользователя, например:

kadmin.local: addprinc -randkey server1.com/krb5.com
kadmin.local: ktadd server1.com/krb5.com
kadmin.local: addprinc root/admin
kadmin.local: ktadd root/admin

Что я пропустил?

Конфиги krb5.conf:

includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = KRB5.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 KRB5.COM = {
  kdc = server1.com
  admin_server = server1.com
 }

[domain_realm]
 .krb5.com = KRB5.COM
 krb5.com = KRB5.COM

kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 KRB5.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

kadmin.acl

*/admin@KRB5.COM    *

PS Имя хоста - server1.com PSS в файле hosts добавила запись для localhost / server1.com

...