在 win 服务器上创建 keytab 文件时出现问题

tag-icon tag-icon apache-2.2 windows-server-2008 kerberos single-sign-on gssapi
在 win 服务器上创建 keytab 文件时出现问题

我正在尝试创建一个 keytab 文件。我看到一条警告

  WARNING: pType and account type do not match. This might cause  problems.

我使用的命令是

  ktpass -princ HTTP/[email protected] -mapuser [email protected] -crypto rc4-hmac-nt -pass **** -ptype KRB5_NT_SRV_HST -out "C:\Documents and Settings\Administrator\bloodhound.kytab"

我想将其用于 Apache 上的 SSO。我正在 Windows Server 2003 R2 SP2 上创建它

输出

Targeting domain controller: fezziwig.uk.domain.com
Using legacy password setting method
Successfully mapped HTTP/bloodhound.domain.com to ldaplookup.
WARNING: pType and account type do not match. This might cause  problems.
Key created.
Output keytab to C:\Documents and Settings\Administrator.UK-GGS-DOMAIN\bloodhound.keytab:
Keytab version: 0x502
keysize 82 HTTP/[email protected] ptype 3 (KRB5_NT_SRV_HST) vno 14 etype 0x17 (RC4-HMAC) keylength 16 (0xde184005d851613980cffb9580bdd193)

我已经按照许多步骤显示相同http://www.zimbra.com/docs/os/7.2.3/administration_guide/wwhelp/wwhimpl/common/html/wwhelp.htm#href=7.2.3_Open_Source_admin.Create_the_Kerberos_Keytab_File.html&single=true

但都不起作用。当我用 kvno 测试时,我得到以下结果

[root@portal-test conf]# klist -ke bloodhound1.keytab 
Keytab name: FILE:bloodhound1.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  27 HTTP/[email protected] (ArcFour with HMAC/md5) 
[root@portal-test conf]# kvno HTTP/[email protected]
kvno: Server not found in Kerberos database while getting credentials for HTTP/[email protected]

更新

我想使用 url 访问的 Web 服务器http://cobra.woking/

我在 windows server 2008 r2 标准版中输入以下命令

ktpass -princ HTTP/[email protected] -mapuser [email protected] -crypto rc4-hmac-nt -pass password -ptype KRB5_NT_SRV_HST -out "C:\Temp\cobra.kytab" -ptype KRB5_NT_PRINCIPAL

Targeting domain controller: echo.spectrumasa.com
Successfully mapped HTTP/cobra.woking to ldaplookup.
Password succesfully set!
Key created.
Output keytab to C:\Temp\cobra.kytab:
Keytab version: 0x502
keysize 68 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 33 etype 0x17 (RC4-HMAC
) keylength 16 (0xde184005d851613980cffb9580bdd193)

将文件复制到网络服务器。将网络服务器配置更新为:

<Directory /opt/html/trac>
        AuthType Kerberos
        AuthName KerberosLogin
        KrbServiceName HTTP/cobra.woking
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbAuthRealms SPECTRUMASA.COM
        Krb5KeyTab /tmp/cobra.kytab

        AuthLDAPURL ldap://ldapauth.spectrumasa.com/ou=TechSupport,ou=Woking,ou=Sites,dc=spectrumasa,dc=com?userPrincipalName
        AuthLDAPBindDN cn=ldaplookup,cn=Users,dc=spectrumasa,dc=com
        AuthLDAPBindPassword password

        #require valid-user
        Require ldap-group cn=support,cn=Users,dc=spectrumasa,dc=com
        ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/intranet/info/unauthorized\"></html>"
</Directory>

测试的 keytab

klist -ke cobra.kytab 
Keytab name: FILE:cobra.kytab
KVNO Principal
---- --------------------------------------------------------------------------
  33 HTTP/[email protected] (arcfour-hmac) 

kvno HTTP/[email protected]
kvno: Ticket expired while getting credentials for HTTP/[email protected]

当我访问该 URL 时,我在 ie 中得到结果,但在 Firefox 中我得到密码提示,然后它就可以正常工作了。

gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (, ), referer: http://cobra.woking/trac/

我该如何解决?

我已有一个intranet适用于此服务器的 keytab 文件

[root@cobra conf]# klist -ke intranet.keytab
Keytab name: FILE:intranet.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   8 HTTP/[email protected] (arcfour-hmac) 
[root@cobra conf]# kvno HTTP/[email protected]
kvno: Ticket expired while getting credentials for HTTP/[email protected]

第二次更新

我使用以下命令重新创建了 keytab

ktpass -princ HTTP/[email protected] -mapuser [email protected] -crypto rc4-hmac-nt -pass password -out "C:\Temp\cobra1.keytab" -ptype KRB5_NT_PRINCIPAL

在我的 DNS 中我有

  cobra         A   172.16.0.216

在 Apache 中我有

KrbServiceName HTTP/cobra
Krb5KeyTab /etc/httpd/conf/cobra1.keytab

当我尝试访问时,http::/cobra/trac系统要求我输入密码 3 次。日志显示

在网址上输入。第一个密码提示显示SPECTRUM/user

gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (, )

第二个密码提示显示COBRA/user和日志显示

gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error)

第三次密码提示我必须输入用户名和密码然后它才有效。

我已将http://cobra和添加http://cobra.spectrumasa.com到 ie 受信任的站点。

答案1

输出中出现的错误是因为您没有将 SPN 映射到主体。您应该使用 ptype 开关来-ptype KRB5_NT_PRINCIPAL避免错误。

KRB5_NT_PRINCIPAL 是通用主体类型(推荐),因为由 Microsoft 记录

相关内容