给定以下krb5.config(其中FOOBAR.COM是虚构的字符串)
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = FOOBAR.COM
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
#Been messing around with this part
FOOBAR.COM = FOOBAR.COM
.FOOBAR.COM = FOOBAR.COM
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
FOOBAR.COM = {
admin_server = my_admin_server_hostname
kdc = my_kdc_hostname
}
用我的 Realm 名称和其他参数调用kadmin无效。它找不到kdc。
[kdc machine] kadmin -s localhost -p admin/[email protected] -r FOOBAR.COM -q "get_principal admin/[email protected]"
Authenticating as principal admin/[email protected] with password.
kadmin: Cannot find KDC for realm "foobar.com" while initializing kadmin interface
但是首先访问kadmin是可行的(也许是因为它访问了kadmin.local?)
[kdc machine]# kadmin
Authenticating as principal admin/[email protected] with password.
Password for admin/[email protected]:
kadmin: get_principal admin/[email protected]
get_principal: Principal does not exist while retrieving "admin/[email protected]".
奇怪的是,省略主体标志也可以
[kdc machine]# kadmin -s localhost -r FOOBAR.COM -q "get_principal admin/[email protected]"
Authenticating as principal admin/[email protected] with password.
Password for admin/[email protected]:
get_principal: Principal does not exist while retrieving "admin/[email protected]".
我假设这是由于某些DNS问题所致,因为我的 Realm 字符串FOOBAR.COM是一个虚构的地址。我一直在编辑krb5.conf并托管文件来尝试解决此问题,但没有成功。不能使用实际的FQDN代替随机字符串作为 Realm 名称。我不明白为什么省略-p会导致不同的结果...
是否有人对如何使第一个查询有效仍然有想法?
最佳答案
好了,看来问题出在指定主体-p
这将失败:
-p admin/[email protected]
这样成功了:
-p管理员/管理员
Kadmin显然会自动在主体之后添加 Realm 名称,并且失败了,这与“根本没有找到KDC服务器”无关。
关于hadoop - 初始化kadmin界面时找不到领域的KDC,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/53303506/