Kerberos 遷移問題 - Ubuntu Server

2024-6-28 • tag-icon

我們正在將活動目錄從 Debian 伺服器遷移到 Ubuntu。已設定 LDAP（Slapd）、libnss、kerberos、pam 和 nfs。但是，在用戶端嘗試登入時，伺服器會發布 Kerberos 錯誤。

Kerberos 是透過 apt 安裝遷移的。然後，我們將以下文件從舊伺服器複製到新伺服器；krb5.conf、krb5.keytab、krb5kdc目錄和/var/lib/krb5kdc目錄。

Sep 17 17:50:01 cs2s krb5kdc[2383]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.90: NEEDED_PREAUTH: n.dajnowski@CS for krbtgt/CS@CS, Additional pre-authentication required
Sep 17 17:50:01 cs2s krb5kdc[2383]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.90: ISSUE: authtime 1694973001, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, n.dajnowski@CS for krbtgt/CS@CS
Sep 17 17:50:01 cs2s krb5kdc[2383]: TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.90: ISSUE: authtime 1694973001, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, n.dajnowski@CS for host/cs2s.cs@CS
Sep 17 17:50:35 cs2s krb5kdc[2383]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.254: NEEDED_PREAUTH: test@CS for krbtgt/CS@CS, Additional pre-authentication required
Sep 17 17:50:35 cs2s krb5kdc[2383]: preauth (encrypted_timestamp) verify failure: Preauthentication failed
Sep 17 17:50:35 cs2s krb5kdc[2383]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.0.254: PREAUTH_FAILED: test@CS for krbtgt/CS@CS, Preauthentication failed

用戶端閃現黑屏並返回登入。我們也在舊伺服器上對此進行了測試，並在成功登入的日誌中收到以下訊息。

舊伺服器的成功登入日誌：

我確實注意到舊伺服器有cs2s.cs@CS而不是CS@CS.由於我對這項技術相對較新，請問有人可以建議如何正確配置新伺服器嗎？

相關內容