我正在尝试设置一个带有 Web 服务的客户端服务器,Active Directory 的用户应该能够使用 SSO 登录到该服务器。
我在 Ubuntu 14.04 服务器上使用带有 Kerberos 的 SPNEGO,并使用 nginx 代理到 Naviserver 以便 Web 服务执行此操作并获取错误代码:majorStatus:851968,minorStatus:2529639056(请求中的主体错误)
/etc/krb5.conf
[libdefaults]
default_realm = TEST.LOCAL
default_keytab_name = /etc/staging.keytab
rdns = false
ignore_acceptor_hostname = true
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 rc4-hmac
default_tgs_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 rc4-hmac
permitted_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 rc4-hmac
allow_weak_crypto = true
kdc_timesync = 1
clockskew = 100
ccache_type = 4
forwardable = true
proxiable = true
ticket_lifetime = 25h
renew_lifetime = 7d
kdc_req_checksum_type = 4
[realms]
TEST.LOCAL = {
kdc = something.test.local
admin_server = something.test.local
default_domain = TEST.LOCAL
}
[domain_realm]
live.test.smth = TEST.LOCAL
.live.test.smth = TEST.LOCAL
staging.smth.else = TEST.LOCAL
.staging.smth.else = TEST.LOCAL
/etc/hosts 中没有 127.0.0.1
ActiveDirIP test.local
myIP staging.smth.else
我有一个由 Active Directory 管理员生成的 keytab 文件
ktpass /princ HTTP/[email protected] /mapuser [email protected] /pass *** /out staging.keytab /crypto DES-CBC-CRC /kvno 0 /ptype KRB5_NT_PRINCIPAL
当我调用 kinit 时,它起作用了:
~$ kinit -S http/[email protected] [email protected]
~$ klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: [email protected]
Valid starting Expires Service principal
2016-02-12 13:31:44 2016-02-12 23:31:44 http/[email protected]
renew until 2016-02-13 13:31:41
~$ kinit http/[email protected]
~$ klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: http/[email protected]
Valid starting Expires Service principal
2016-02-12 13:30:58 2016-02-12 23:30:58 krbtgt/[email protected]
renew until 2016-02-13 13:30:49
~$ kinit [email protected]
~$ klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: [email protected]
Valid starting Expires Service principal
2016-02-12 13:32:13 2016-02-12 23:32:13 krbtgt/[email protected]
renew until 2016-02-13 13:32:09
kvno 是 3,但是管理员告诉我 Windows 中的 kvno 无关紧要。
kvno [email protected]
[email protected] kvno = 3
在 NaviServer Config 中定义:
ns_section ns/server/${server}/module/knspnego
ns_param Krb5KeyTabFile "/etc/staging.keytab"
ns_param Krb5ServiceName "[email protected]"
ns_param AuthType "SPNEGO"
主机名
hostname -f
staging.smth.else
您知道问题出在哪里吗?
答案1
我找到了解决方案。keytab 文件中的 /crypto 不适合我们的设置。它与 /crypto ALL 配合使用
答案2
我遇到了类似的问题。rc4-hmac
用这些替换了加密类型:
arcfour-hmac
aes128-cts
aes256-cts
des-cbc-crc
des-cbc-md5
然后重新启动我的服务,解决了这个问题