При запуске kvno imap/prueba-mail.ejemplo.org@EJEMPLO.ORG появляется следующая ошибка: kvno: сервер не найден в базе данных Kerberos при получении учетных данных для imap/prueba-mail.ejemplo.org@EJEMPLO.ORG
Я показываю настройки и предпринятые шаги, а также ловушки в wirehark, и я надеюсь, что смогу помочь.
У меня Windows Server 2003 с AD, IP-адрес которого yyy.yyy.yyy.yyy, а его имя - win2003. Пользователи-клиенты используют Windows и установили Kerberos для Windows и Thunderbird в качестве почтового клиента.
У меня также есть компьютер с Centos 6, ip которого xxx.xxx.xxx.xxx и его имя prueba-mail, вы устанавливаете Postfix + Cyrus Imap. Если я выполняю nslookup yyy.yyy.yyy.yyy с компьютера с Centos 6, он работает правильно. Если я делаю nslookup xxx.xxx.xxx.xxx с компьютера с Windows Server 2003, он работает правильно.
Я хочу иметь sso из клиентов Windows, поэтому выполните следующие действия:
1) Создайте пользователя в AD для каждой службы (imap и тд ..). Эти пользователи включили «Использовать типы шифрования DES для этой учетной записи», «Не требовать предварительной аутентификации Kerberos», «Пользователь не может изменить пароль», «Срок действия пароля никогда не истекает».
2) Когда я запускаю setspn -L в Windows 2003, отображается следующее:
host/prueba-mail.ejemplo.org
imap/prueba-mail.ejemplo.org
3) В Windows 2003 выполните следующие команды:
Ktpass -princ host/prueba-mail.ejemplo.org@EJEMPLO.ORG -mapuser host -pass password -crypto DES-CBC-MD5 -out UNIXhost.keytab
Ktpass -princ imap/prueba-mail.ejemplo.org@EJEMPLO.ORG -mapuser imap -pass password -crypto DES-CBC-MD5 -out UNIXimap.keytab
4) В UNIXhost.keytab добавьте UNIXimap.keytab Затем я сделал две копии UNIXhost.keytab в /etc/krb5.keytab и /etc/krb5.keytab.cyrus Также запустите chown cyrus /etc/krb5.keytab.cyrus
Показываю конфигурации + захват wirehark.
---------------------------------------- /etc/krb5.conf ---- -------------------------------------------------- ----------
[logging]
default = /var/log/krb5libs.log
kdc = /var/log/krb5kdc.log
admin_server = /var/log/kadmind.log
[libdefaults]
default_realm = EJEMPLO.ORG
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
default_keytab_name = FILE:/etc/krb5.keytab
allow_weak_crypto = yes
[realms]
EJEMPLO.ORG = {
kdc = YYY.YYY.YYY.YYY:88
admin_server = YYY.YYY.YYY.YYY
password_server = YYY.YYY.YYY.YYY
default_domain = EJEMPLO.ORG
}
[domain_realm]
.ejemplo.org = EJEMPLO.ORG
[login]
krb4_convert = false
---------------------------------- запрошено (wirehark) ------------ -------------------
No. Time Source Destination Protocol Info
109625 191.215550 xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy KRB5 TGS-REQ
Frame 109625 (681 bytes on wire, 681 bytes captured)
Arrival Time: Jul 17, 2013 17:34:59.991270000
[Time delta from previous captured frame: 0.014822000 seconds]
[Time delta from previous displayed frame: 191.215550000 seconds]
[Time since reference or first frame: 191.215550000 seconds]
Frame Number: 109625
Frame Length: 681 bytes
Capture Length: 681 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:kerberos]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: CadmusCo_13:dd:bd (08:00:27:13:dd:bd), Dst: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
Destination: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
Address: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
Address: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx), Dst: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 667
Identification: 0x25c6 (9670)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xc79b [correct]
[Good: True]
[Bad : False]
Source: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
Destination: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy)
User Datagram Protocol, Src Port: 58345 (58345), Dst Port: kerberos (88)
Source port: 58345 (58345)
Destination port: kerberos (88)
Length: 647
Checksum: 0x4d89 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Kerberos TGS-REQ
Pvno: 5
MSG Type: TGS-REQ (12)
padata: PA-TGS-REQ
Type: PA-TGS-REQ (1)
Value: 6E8201D6308201D2A003020105A10302010EA20703050000... AP-REQ
Pvno: 5
MSG Type: AP-REQ (14)
Padding: 0
APOptions: 00000000
.0.. .... .... .... .... .... .... .... = Use Session Key: Do NOT use the session key to encrypt the ticket
..0. .... .... .... .... .... .... .... = Mutual required: Mutual authentication is NOT required
Ticket
Tkt-vno: 5
Realm: EJEMPLO.ORG
Server Name (Service and Instance): krbtgt/EJEMPLO.ORG
Name-type: Service and Instance (2)
Name: krbtgt
Name: EJEMPLO.ORG
enc-part rc4-hmac
Encryption type: rc4-hmac (23)
Kvno: 2
enc-part: 61BCF5140DC42B2D3963D13F7784BEAAFE642F9EB7ADE907...
Authenticator rc4-hmac
Encryption type: rc4-hmac (23)
Authenticator data: AA6A2E97EF2F71052880E7004209B535DC5ACBE517063A17...
KDC_REQ_BODY
Padding: 0
KDCOptions: 50810000 (Forwardable, Proxiable, Renewable, Canonicalize)
.1.. .... .... .... .... .... .... .... = Forwardable: FORWARDABLE tickets are allowed/requested
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
...1 .... .... .... .... .... .... .... = Proxiable: PROXIABLE tickets are allowed/requested
.... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
.... .... 1... .... .... .... .... .... = Renewable: This ticket is RENEWABLE
.... .... ...0 .... .... .... .... .... = Opt HW Auth: False
.... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
.... .... .... ...1 .... .... .... .... = Canonicalize: This is a request for a CANONICALIZED ticket
.... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
.... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT accept renewed tickets
.... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
.... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
.... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
Realm: EJEMPLO.ORG
Server Name (Principal): imap/prueba-mail.ejemplo.org
Name-type: Principal (1)
Name: imap
Name: prueba-mail.ejemplo.org
till: 2013-07-18 06:32:17 (UTC)
Nonce: 1374093338
Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4
Encryption type: aes256-cts-hmac-sha1-96 (18)
Encryption type: aes128-cts-hmac-sha1-96 (17)
Encryption type: des3-cbc-sha1 (16)
Encryption type: rc4-hmac (23)
Encryption type: des-cbc-crc (1)
Encryption type: des-cbc-md5 (3)
Encryption type: des-cbc-md4 (2)
--------------------------------- ответ (wirehark) ------------- -------------------------
No. Time Source Destination Protocol Info
109626 191.217040 yyy.yyy.yyy.yyy xxx.xxx.xxx.xxx KRB5 KRB Error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
Frame 109626 (171 bytes on wire, 171 bytes captured)
Arrival Time: Jul 17, 2013 17:34:59.992760000
[Time delta from previous captured frame: 0.001490000 seconds]
[Time delta from previous displayed frame: 0.001490000 seconds]
[Time since reference or first frame: 191.217040000 seconds]
Frame Number: 109626
Frame Length: 171 bytes
Capture Length: 171 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:kerberos]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Ibm_a5:b3:46 (00:09:6b:a5:b3:46), Dst: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
Destination: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
Address: CadmusCo_13:dd:bd (08:00:27:13:dd:bd)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
Address: Ibm_a5:b3:46 (00:09:6b:a5:b3:46)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy), Dst: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 157
Identification: 0x7913 (30995)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x764c [correct]
[Good: True]
[Bad : False]
Source: yyy.yyy.yyy.yyy (yyy.yyy.yyy.yyy)
Destination: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 58345 (58345)
Source port: kerberos (88)
Destination port: 58345 (58345)
Length: 137
Checksum: 0xa6b2 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2013-07-17 20:35:39 (UTC)
susec: 806620
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: EJEMPLO.ORG
Server Name (Principal): imap/prueba-mail.ejemplo.org
Name-type: Principal (1)
Name: imap
Name: prueba-mail.ejemplo.org
e-data