linux – 从Active Directory中检索当前的Kerberos KVNO

前端之家收集整理的这篇文章主要介绍了linux – 从Active Directory中检索当前的Kerberos KVNO前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我有一个连接到 Windows KDC的 Linux主机的Kerberos问题.我怀疑使用错误版本的Kerberos密钥是罪魁祸首.

一种方法删除SPN并重新创建它,但这是在生产环境中,如果愿意,我必须以“只读”方式进行调试.

如何从Active Directory中的主体中检索当前的Kerberos KVNO?

解决方法

我不相信KVNO是否与您的问题有关,可以使用Linux客户端,但无论如何,使用Wireshark /网络监视器:

密钥版本号在MS-KILE第3.1.5.8节中描述.

顺便说一句,Mathias R. Jessen是正确的,因为Windows通常会忽略KVNO.但它们仍然以RFC投诉方式实施.

http://blogs.msdn.com/b/openspecification/archive/2009/11/13/to-kvno-or-not-to-kvno-what-is-the-version.aspx

No,Windows does not pay attention to KVNO. It simply ignores it.

但是KVNO在RODC环境中确实有一些意义:

http://blogs.msdn.com/b/openspecification/archive/2011/05/11/notes-on-kerberos-kvno-in-windows-rodc-environment.aspx

这里有更多信息:http://support.microsoft.com/kb/2716037

In an environment with one or more RODCs authentication may fail when
interacting with certain MIT based Kerberos devices in one of the
following scenarios.

· The client is an MIT device which received a TGT from
Windows KDC on RODC

· The client passes a TGT generated by Windows KDC on RODC to
MIT Device which in turn uses the TGT to request a TGS on behalf of
the calling user.

In both scenarios the TGT will have been issued by an RODC where the
msDS-SecondaryKrbTgtNumber associated with the krbtgt account for that RODC will have a value greater than 32767.

猜你在找的Linux相关文章