Arquivo keytab do Kerberos não funciona

3

Eu tenho dois domínios do AD e estou tentando usar o NFS com o Kerberos para ambos. Parte do procedimento requer a criação de arquivos keytab para o host e os principais nfs para o cliente e o servidor, respectivamente. Eu estou usando os mesmos arquivos de lote em ambos os DCs para criar o computador e entradas de usuário no AD, bem como os arquivos keytab. Os arquivos keytab de um dos ADs funcionam muito bem, mas todos os arquivos keytab do outro AD falham com:

rob@hostname: [NFS_Kerberos_Keytabs]$ kinit -V host/[email protected] -k -t hostname_host_REALM.DOM.COM.keytab  
Using default cache: /tmp/krb5cc_1000
Using principal: host/[email protected]
Using keytab: hostname_host_REALM.DOM.COM.keytab
kinit: Client 'host/[email protected]' not found in Kerberos database while getting initial credentials

Ao configurar isso, criei primeiramente uma entrada de computador no banco de dados:

# extended LDIF
#
# LDAPv3
# base <cn=computers,dc=realm,dc=dom,dc=com> with scope subtree
# filter: (name=hostname)
# requesting: ALL
#

# hostname, Computers, realm.dom.com
dn: CN=hostname,CN=Computers,DC=realm,DC=dom,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: hostname
distinguishedName: CN=hostname,CN=Computers,DC=realm,DC=dom,DC=com
instanceType: 4
whenCreated: 20160128162300.0Z
whenChanged: 20160128162300.0Z
uSNCreated: 174308
uSNChanged: 174312
name: hostname
objectGUID:: jd23ti+U/USCbuyzfWj5rQ==
userAccountControl: 4128
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
localPolicyFlags: 0
pwdLastSet: 130984717800613071
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAAlHJ4KV3gLEfERwiPLDEAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: HOSTNAME$
sAMAccountType: 805306369
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=realm,DC=dom,DC=com
isCriticalSystemObject: FALSE
dSCorePropagationData: 16010101000000.0Z

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Então criei uma entrada de usuário:

# extended LDIF
#
# LDAPv3
# base <cn=users,dc=realm,dc=dom,dc=com> with scope subtree
# filter: (&(ObjectClass=person)(name=hostname host))
# requesting: ALL
#

# hostname host, Users, realm.dom.com
dn: CN=hostname host,CN=Users,DC=realm,DC=dom,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: hostname host
sn: host
givenName: hostname
distinguishedName: CN=hostname host,CN=Users,DC=realm,DC=dom,DC=com
instanceType: 4
whenCreated: 20160129074155.0Z
whenChanged: 20160309164621.0Z
displayName: hostname host
uSNCreated: 174516
uSNChanged: 179340
name: hostname host
objectGUID:: Uaw7Gk2n0keDHjIAiRaPqw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 131020165954163706
pwdLastSet: 131020155817310122
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAlHJ4KV3gLEfERwiPPjEAAA==
accountExpires: 9223372036854775807
logonCount: 4
sAMAccountName: hostname-host
sAMAccountType: 805306368
userPrincipalName: host/[email protected]
servicePrincipalName: host/hostname.sub.dom.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=realm,DC=dom,DC=com
dSCorePropagationData: 16010101000000.0Z

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Eu então executei o ktpass no DC para criar o arquivo keytab:

C:\Users\rob.marshall>ktpass -princ host/[email protected] -out hostname_host_REALM.DOM.COM.keytab -mapuser [email protected] -mapOp set -crypto all -ptype KRB5_NT_PRINCIPAL +rndPass
Targeting domain controller: WIN-F2DD88GD7U9.realm.dom.com
Using legacy password setting method
Successfully mapped host/hostname.sub.dom.com to hostname-host.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to hostname_test04.keytab:
Keytab version: 0x502
keysize 70 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0xa219dcdc0d232a7f)
keysize 70 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0xa219dcdc0d232a7f)
keysize 78 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x2c3d1d1cbf52afe3a7190bdaa0107fed)
keysize 94 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0x4f4b4f5d3f401c7ef885c94989e5561cc74fa607b07c6135c78450625bfb007e)
keysize 78 host/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x11 (AES128-SHA1) keylength 16 (0x3704104525c61565296a343d6092209f)

Verificando o arquivo keytab:

rob@robs-ubuntu2: [NFS_Kerberos_Keytabs]$ klist -kte hostname_host_REALM.DOM.COM.keytab
Keytab name: FILE:hostname_host_REALM.DOM.COM.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 12/31/1969 19:00:00 host/[email protected] (des-cbc-crc) 
   2 12/31/1969 19:00:00 host/[email protected] (des-cbc-md5) 
   2 12/31/1969 19:00:00 host/[email protected] (arcfour-hmac) 
   2 12/31/1969 19:00:00 host/[email protected] (aes256-cts-hmac-sha1-96) 
   2 12/31/1969 19:00:00 host/[email protected] (aes128-cts-hmac-sha1-96) 

Mais uma vez eu fiz exatamente a mesma coisa (com exceção do REALM) em outro AD DC e os arquivos keytab funcionam bem. Alguma idéia do que fiz de errado aqui? Os keytabs do AD que NÃO estão funcionando são de um sistema Windows que diz que a edição é: "Windows Server Enterprise" com direitos autorais de 2007 e SP 1. O outro é um Windows 2012 R2.

Obrigado por qualquer ajuda,

Rob

    
por Rob Marshall 09.03.2016 / 21:32

0 respostas