使用keytab的kinit失败，而使用密码成功

Question

我面临一个奇怪的问题，使用Windows2012DC作为KDC在Ubuntu16.04上配置KRB5。如果向kinit的密码提示提供密码，则使用服务AD帐户调用kinit成功，但在使用相同密码的keytab文件时失败。当然，最简单的解释是keytab文件中的密码是错误的。但是这个文件是自动生成的，由同一代码生成的键标签在另一个环境中工作。尽管如此，我还是手动生成了新的keytab文件多次，并且使用ktpass在windows上生成了一个keytab文件(您可以在命令行中向ktpass提供密码)，以排除任何与密码相关的问题。但是，结果总是一样的:使用keytab文件进行身份验证不起作用。

我猜想这个问题可能与Windows DC上的一些设置有关，但我不知道该在哪里查找。

成功使用密码进行身份验证：

root@my-server / # KRB5_TRACE=/dev/stdout kinit -V service_user                                                                      :(
Using default cache: /tmp/krb5cc_0
Using principal: service_user@DOMAIN.INT
[3880] 1550161945.213705: Getting initial credentials for service_user@DOMAIN.INT
[3880] 1550161945.213896: Sending request (194 bytes) to DOMAIN.INT
[3880] 1550161945.214051: Sending initial UDP request to dgram 192.168.0.1:88
[3880] 1550161945.215117: Received answer (190 bytes) from dgram 192.168.0.1:88
[3880] 1550161945.215158: Response was from master KDC
[3880] 1550161945.215184: Received error from KDC: -1765328359/Additional pre-authentication required
[3880] 1550161945.215225: Processing preauth types: 16, 15, 19, 2
[3880] 1550161945.215243: Selected etype info: etype aes256-cts, salt "DOMAIN.INTrmcloudmember", params ""
Password for service_user@DOMAIN.INT:
[3880] 1550161955.687314: AS key obtained for encrypted timestamp: aes256-cts/0FBD
[3880] 1550161955.687371: Encrypted timestamp (for 1550161956.151464): plain 301AA011180F32303139303231343136333233365AA1050203024FA8, encrypted 9B8C1FB7CC85C23D0D803DCF2C29655D329628F98C505CEBE8EA1F3353D8D513CFAE25C1E146D74C5C4FE71326FCF12F6ED911FBC2B14FE2
[3880] 1550161955.687398: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[3880] 1550161955.687404: Produced preauth for next request: 2
[3880] 1550161955.687430: Sending request (274 bytes) to DOMAIN.INT
[3880] 1550161955.687522: Sending initial UDP request to dgram 192.168.0.1:88
[3880] 1550161955.695617: Received answer (94 bytes) from dgram 192.168.0.1:88
[3880] 1550161955.695671: Response was from master KDC
[3880] 1550161955.695690: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
[3880] 1550161955.695696: Request or response is too big for UDP; retrying with TCP
[3880] 1550161955.695701: Sending request (274 bytes) to DOMAIN.INT (tcp only)
[3880] 1550161955.695731: Initiating TCP connection to stream 192.168.0.1:88
[3880] 1550161955.696053: Sending TCP request to stream 192.168.0.1:88
[3880] 1550161955.697043: Received answer (1831 bytes) from stream 192.168.0.1:88
[3880] 1550161955.697053: Terminating TCP connection to stream 192.168.0.1:88
[3880] 1550161955.697089: Response was from master KDC
[3880] 1550161955.697117: Processing preauth types: 19
[3880] 1550161955.697127: Selected etype info: etype aes256-cts, salt "DOMAIN.INTdomainmember", params ""
[3880] 1550161955.697143: Produced preauth for next request: (empty)
[3880] 1550161955.697152: AS key determined by preauth: aes256-cts/0FBD
[3880] 1550161955.697201: Decrypted AS reply; session key is: aes256-cts/DD7B
[3880] 1550161955.697220: FAST negotiation: unavailable
[3880] 1550161955.697239: Initializing FILE:/tmp/krb5cc_0 with default princ service_user@DOMAIN.INT
[3880] 1550161955.697329: Storing service_user@DOMAIN.INT -> krbtgt/DOMAIN.INT@DOMAIN.INT in FILE:/tmp/krb5cc_0
[3880] 1550161955.697364: Storing config in FILE:/tmp/krb5cc_0 for krbtgt/DOMAIN.INT@DOMAIN.INT: pa_type: 2
[3880] 1550161955.697394: Storing service_user@DOMAIN.INT -> krb5_ccache_conf_data/pa_type/krbtgt\/DOMAIN.INT\@DOMAIN.INT@X-CACHECONF: in FILE:/tmp/krb5cc_0
Authenticated to Kerberos v5

使用keytab文件进行身份验证失败：

root@my-server / # KRB5_TRACE=/dev/stdout kinit -V -k -t /etc/krb5/service_user.keytab service_user
Using default cache: /tmp/krb5cc_0
Using principal: service_user@DOMAIN.INT
Using keytab: /etc/krb5/service_user.keytab
[3844] 1550161914.505633: Getting initial credentials for service_user@DOMAIN.INT
[3844] 1550161914.505787: Looked up etypes in keytab: des-cbc-crc, des, des-cbc-crc, rc4-hmac, aes256-cts, aes128-cts
[3844] 1550161914.505838: Sending request (194 bytes) to DOMAIN.INT
[3844] 1550161914.505972: Sending initial UDP request to dgram 192.168.0.1:88
[3844] 1550161914.507116: Received answer (190 bytes) from dgram 192.168.0.1:88
[3844] 1550161914.507146: Response was from master KDC
[3844] 1550161914.507170: Received error from KDC: -1765328359/Additional pre-authentication required
[3844] 1550161914.507199: Processing preauth types: 16, 15, 19, 2
[3844] 1550161914.507216: Selected etype info: etype aes256-cts, salt "DOMAIN.INTdomainmember", params ""
[3844] 1550161914.507263: Retrieving service_user@DOMAIN.INT from FILE:/etc/krb5/service_user.keytab (vno 0, enctype aes256-cts) with result: 0/Succes-s
[384] 1550161914.507280: AS key obtained for encrypted timestamp: aes256-cts/3ABA
[3844] 1550161914.507329: Encrypted timestamp (for 1550161914.976630): plain 301AA011180F32303139303231343136333135345AA10502030EE6F6, encrypted BD37FD997AD3BB56EA1893F99CDCDC7AF49964AC65E686316BE58F545609C3EE15E5753D57B9812794EB480E7F3D2B61613B2F9518DB5841
[3844] 1550161914.507344: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[3844] 1550161914.507353: Produced preauth for next request: 2
[3844] 1550161914.507371: Sending request (274 bytes) to DOMAIN.INT
[3844] 1550161914.507407: Sending initial UDP request to dgram 192.168.0.1:88
[3844] 1550161914.513601: Received answer (156 bytes) from dgram 192.168.0.1:88
[3844] 1550161914.513649: Response was from master KDC
[3844] 1550161914.513665: Received error from KDC: -1765328360/Preauthentication failed
[3844] 1550161914.513684: Preauth tryagain input types: 16, 15, 19, 2
kinit: Preauthentication failed while getting initial credentials

更新2019-09-02:我没有找到解决方案，我切换到管道密码到kinit。

Answer 1

我也面临着同样的问题。根本原因是kerberos服务器只支持rc4-hmac加密类型。

解决方案:在ktutil中使用

ktutil: addent -password -p foo@bar -k 0 -e rc4-hmac
Password for foo@bar:
ktutil: wkt foo.keytab
ktutil: quit

ktinit -kt foo.keytab foo

这对我有用。如果它不适用于您，尝试所有不同的加密类型一次一个。