%EB%8A%94%20%EA%B0%80%EB%8A%A5%ED%95%A9%EB%8B%88%EB%8B%A4..png)
SSH를 수행할 때 Kerberos 자격 증명을 인증하려고 시도했지만 실패했습니다.~에서Windows Server 2019 도메인에 가입된 Windows 11 클라이언트(라고 부르겠습니다 AD.LOCAL)에게FreeIPA가 관리하는 도메인에 가입된 Linux 호스트(라고 부르겠습니다 IPA.LOCAL).
나는 이미 "포리스트" 신뢰로 설정된 신뢰 관계를 갖고 있으며 문제를 분석하기 위해 클라이언트(Linux로) 또는 대상(동일한 도메인의 호스트로)을 변경하면 작동하는지 확인했습니다.
문제를 설명하기 위해 간결성을 위해 명령 출력을 다듬고 호스트와 IP를 익명화했습니다.
❌ 보낸 사람윈도우에게IPA주인:
PS C:\Users\user> ssh -v -K -l [email protected] host02.ipa.local
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
...
debug1: Authenticating to host02.ipa.local:22 as '[email protected]'
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: GSS_S_FAILURE
debug1: Next authentication method: publickey
...
✅ 보낸 사람윈도우에게기원 후주인:
PS C:\Users\user> ssh -v -K -l [email protected] host01.ad.local
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
...
debug1: Authenticating to host01.ad.local:22 as '[email protected]'
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: sspi delegation was requested but not fulfilled
debug1: Delegating credentials
debug1: sspi delegation was requested but not fulfilled
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to host01.ad.local ([192.168.0.62]:22).
...
✅ 보낸 사람리눅스에게IPA주인:
$ ssh -v -K -l [email protected] host02.ipa.local
OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
...
debug1: Authenticating to host02.ipa.local:22 as '[email protected]'
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to host02.ipa.local ([192.168.0.181]:22).
...
✅ 보낸 사람리눅스에게기원 후주인:
$ ssh -v -K -l [email protected] host01.ad.local
OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
...
debug1: Authenticating to host01.ad.local:22 as '[email protected]'
...
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-with-mic
debug1: Delegating credentials
debug1: Delegating credentials
debug1: Authentication succeeded (gssapi-with-mic).
Authenticated to host01.ad.local ([192.168.0.62]:22).
...
위 명령을 실행한 후 내 티켓은 다음과 같습니다.
윈도우 티켓:
PS C:\Users\user> klist
Current LogonId is 0:0xe934d3
Cached Tickets: (2)
#0> Client: user @ AD.LOCAL
Server: krbtgt/AD.LOCAL @ AD.LOCAL
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 6/17/2022 14:55:54 (local)
End Time: 6/18/2022 0:55:54 (local)
Renew Time: 6/24/2022 14:55:54 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: dc02.ad.local
#1> Client: user @ AD.LOCAL
Server: host/host01.ad.local @ AD.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 6/17/2022 14:55:54 (local)
End Time: 6/18/2022 0:55:54 (local)
Renew Time: 6/24/2022 14:55:54 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: dc02.ad.local
리눅스 티켓:
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: [email protected]
Valid starting Expires Service principal
06/17/2022 14:31:40 06/18/2022 00:30:36 host/host02.ipa.local@
renew until 06/18/2022 14:30:34
Ticket server: host/[email protected]
06/17/2022 14:31:39 06/18/2022 00:30:36 krbtgt/[email protected]
renew until 06/18/2022 14:30:34
06/17/2022 14:31:09 06/18/2022 00:30:36 host/host01.ad.local@
renew until 06/18/2022 14:30:34
Ticket server: host/[email protected]
06/17/2022 14:30:36 06/18/2022 00:30:36 krbtgt/[email protected]
renew until 06/18/2022 14:30:34
그리고 완전성을 기하기 위해 Linux 상자에는 관심이 없으며 /etc/krb5.conf의도적으로 거의 모든 것을 주석 처리했습니다.
$ grep -v \# /etc/krb5.conf
[libdefaults]
default_ccache_name = KEYRING:persistent:%{uid}
OS 버전
Windows 클라이언트:
PS C:\Users\user> cmd /c ver
Microsoft Windows [Version 10.0.22000.675]
리눅스 클라이언트:
$ lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: Rocky
Description: Rocky Linux release 8.6 (Green Obsidian)
Release: 8.6
Codename: GreenObsidian
댓글에서 질문에 답변하려면 다음을 업데이트하세요.
윈도우고객:
$ klist get host/host02.ipa.local
Current LogonId is 0:0xe934d3
Error calling API LsaCallAuthenticationPackage (GetTicket substatus): 0x6fb
klist failed with 0xc000018b/-1073741429: The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.
참고: 신뢰는 "외부" 유형으로 구성됩니다.
리눅스클라이언트에는 sssd가 전혀 설치되어 있지 않습니다.
$ rpm -qa sss\* | grep . ; echo $?
1
그러나 완전성을 위해:
$ env SSSD_KRB5_LOCATOR_DISABLE=1 kvno host/host02.ipa.local
kvno: Configuration file does not specify default realm while parsing principal name host/host02.ipa.local
이제 호스트 이름 자격 증명 확인과 관련하여 Linux 클라이언트 도구가 다르게 동작한다고 생각됩니다. 예를 들어 다음 명령은 원하는 자격 증명이 호스트 이름이라는 메시지를 받으면 성공하고 krbtgtAD.LOCAL에서 IPA.LOCAL을 가져온 다음 IPA.LOCAL 서버로 이동하여 티켓을 가져옵니다.
$ env SSSD_KRB5_LOCATOR_DISABLE=1 kvno -S host host02.ipa.local
host/host02.ipa.local@: kvno = 1
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: [email protected]
Valid starting Expires Service principal
06/20/2022 11:57:32 06/20/2022 21:56:38 host/host02.ipa.local@
renew until 06/21/2022 11:56:34
Ticket server: host/[email protected]
06/20/2022 11:57:32 06/20/2022 21:56:38 krbtgt/[email protected]
renew until 06/21/2022 11:56:34
06/20/2022 11:56:38 06/20/2022 21:56:38 krbtgt/[email protected]
renew until 06/21/2022 11:56:34
PS 신뢰를 "외부" 유형에서 "포리스트" 유형으로 업그레이드하면서 설명을 업데이트했습니다. 여전히 같은 문제입니다.