Linux基础
1 前言
一个问题,一篇文章,一出故事。
笔者最近发现生产环境的sftp域用户登录异常,查看sssd服务发现有如下错误提示,
Jul 19 16:00:15 sftp01.cmdschool.org krb5_child[230864]: KDC has no support for encryption type
于是整理此问题的解决方案。
2 最佳实践
2.1 确认问题
2.1.1 调试Kerberos认证过程
KRB5_TRACE=/dev/stdout kinit will@cmdschool.org
可见如下日志,
[231328] 1721376169.167530: Matching will@cmdschool.org in collection with result: -1765328243/Can't find client principal will@cmdschool.org in cache collection [231328] 1721376169.167531: Getting initial credentials for will@cmdschool.org [231328] 1721376169.167533: Sending unauthenticated request [231328] 1721376169.167534: Sending request (184 bytes) to cmdschool.org [231328] 1721376169.167535: Sending DNS URI query for _kerberos.cmdschool.org. [231328] 1721376169.167536: No URI records found [231328] 1721376169.167537: Sending DNS SRV query for _kerberos._udp.cmdschool.org. [231328] 1721376169.167538: SRV answer: 0 100 88 "dgdc01.cmdschool.org." [231328] 1721376169.167539: SRV answer: 0 100 88 "azdc01.cmdschool.org." [231328] 1721376169.167540: SRV answer: 0 100 88 "cadc01.cmdschool.org." [231328] 1721376169.167541: SRV answer: 0 100 88 "hkdc01.cmdschool.org." [231328] 1721376169.167542: Sending DNS SRV query for _kerberos._tcp.cmdschool.org. [231328] 1721376169.167543: SRV answer: 0 100 88 "dgdc01.cmdschool.org." [231328] 1721376169.167544: SRV answer: 0 100 88 "cadc01.cmdschool.org." [231328] 1721376169.167545: SRV answer: 0 100 88 "hkdc01.cmdschool.org." [231328] 1721376169.167546: SRV answer: 0 100 88 "azdc01.cmdschool.org." [231328] 1721376169.167547: Resolving hostname dgdc01.cmdschool.org. [231328] 1721376169.167548: Resolving hostname azdc01.cmdschool.org. [231328] 1721376169.167549: Resolving hostname cadc01.cmdschool.org. [231328] 1721376169.167550: Resolving hostname hkdc01.cmdschool.org. [231328] 1721376169.167551: Resolving hostname dgdc01.cmdschool.org. [231328] 1721376169.167552: Initiating TCP connection to stream 10.168.0.46:88 [231328] 1721376169.167553: Sending TCP request to stream 10.168.0.46:88 [231328] 1721376169.167554: Received answer (125 bytes) from stream 10.168.0.46:88 [231328] 1721376169.167555: Terminating TCP connection to stream 10.168.0.46:88 [231328] 1721376169.167556: Sending DNS URI query for _kerberos.cmdschool.org. [231328] 1721376169.167557: No URI records found [231328] 1721376169.167558: Sending DNS SRV query for _kerberos-master._tcp.cmdschool.org. [231328] 1721376169.167559: No SRV records found [231328] 1721376169.167560: Response was not from primary KDC [231328] 1721376169.167561: Received error from KDC: -1765328370/KDC has no support for encryption type [231328] 1721376169.167562: Retrying AS request with primary KDC [231328] 1721376169.167563: Getting initial credentials for will@cmdschool.org [231328] 1721376169.167565: Sending unauthenticated request [231328] 1721376169.167566: Sending request (184 bytes) to cmdschool.org (primary) [231328] 1721376169.167567: Sending DNS URI query for _kerberos.cmdschool.org. [231328] 1721376169.167568: No URI records found [231328] 1721376169.167569: Sending DNS SRV query for _kerberos-master._udp.cmdschool.org. [231328] 1721376169.167570: Sending DNS SRV query for _kerberos-master._tcp.cmdschool.org. [231328] 1721376169.167571: No SRV records found kinit: KDC has no support for encryption type while getting initial credentials
另外,有时候如下命令可以参考,
klist -A -e
2.1.2 确认当前加密类型
update-crypto-policies --show
可见如下提示,
DEFAULT
另外,如下命令或许也能查询,
cat /etc/crypto-policies/state/current
2.2 解决问题
2.2.1 增加加密方式
update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY
2.2.2 重启服务器使配置生效
reboot
参阅文档
====================
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/troubleshoot.html
https://manpages.ubuntu.com/manpages/focal/en/man8/update-crypto-policies.8.html
https://forums.rockylinux.org/t/activedirectory-integration-problem-in-rocky9/7927
https://serverfault.com/questions/680289/kerberos-kdc-has-no-support-for-encryption-type-while-getting-credentials
没有评论