Kerberos 身份验证失败，"Configuration file does not specify default realm"

Question

我正在尝试使用 Freeradius 设置 Kerberos 身份验证。在我 运行 radtest 身份验证失败的那一刻，我在日志中收到以下错误

(0) Login incorrect (krb5: Failed parsing username as principal: Configuration file does not specify default realm): [user/Password123] (from client localhost port 1812)

在我的 krb5 配置文件中，我指定了一个服务主体，所以我不确定为什么会收到此错误。这是上下文的片段（已修改敏感值）

krb5 {
        #
        #  The keytab file MUST be owned by the UID/GID used by the server.
        #  The keytab file MUST be writable by the server.
        #  The keytab file MUST NOT be readable by other users on the system.
        #  The keytab file MUST exist before the server is started.
        #
        keytab = /etc/raddb/mykeytab.keytab
        service_principal = http/princ@example.com

这个配置有什么问题吗？还是我看错地方了？

Answer 1

您需要将领域与您登录的主体一起包含在内，或者在 krb5.conf 中设置默认领域（应该在 /etc/ 中，但它可能是特定于发行版的）。

参见here：

default_realm Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when invoking programs such as kinit.