gssapi/kerberos/active directory/ubuntu-请求中的主体错误

tag-icon tag-icon kerberos single-sign-on gssapi spnego
gssapi/kerberos/active directory/ubuntu-请求中的主体错误

我正在尝试设置一个带有 Web 服务的客户端服务器,Active Directory 的用户应该能够使用 SSO 登录到该服务器。

我在 Ubuntu 14.04 服务器上使用带有 Kerberos 的 SPNEGO,并使用 nginx 代理到 Naviserver 以便 Web 服务执行此操作并获取错误代码:majorStatus:851968,minorStatus:2529639056(请求中的主体错误)

/etc/krb5.conf

    [libdefaults]
        default_realm = TEST.LOCAL
        default_keytab_name = /etc/staging.keytab
        rdns = false
        ignore_acceptor_hostname = true
        dns_lookup_realm = false
        dns_lookup_kdc = false
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 rc4-hmac
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 rc4-hmac
        permitted_enctypes = des-cbc-md5 des-cbc-crc arcfour-hmac-md5 rc4-hmac
        allow_weak_crypto = true
        kdc_timesync = 1
        clockskew = 100
        ccache_type = 4
        forwardable = true
        proxiable = true
        ticket_lifetime = 25h
        renew_lifetime = 7d
        kdc_req_checksum_type = 4
[realms]
        TEST.LOCAL = {
                kdc = something.test.local
                admin_server = something.test.local
                default_domain = TEST.LOCAL
        }
[domain_realm]
        live.test.smth = TEST.LOCAL
        .live.test.smth = TEST.LOCAL
        staging.smth.else = TEST.LOCAL
        .staging.smth.else = TEST.LOCAL

/etc/hosts 中没有 127.0.0.1

ActiveDirIP    test.local
myIP    staging.smth.else

我有一个由 Active Directory 管理员生成的 keytab 文件

ktpass /princ HTTP/[email protected] /mapuser [email protected] /pass *** /out staging.keytab /crypto DES-CBC-CRC /kvno 0 /ptype KRB5_NT_PRINCIPAL

当我调用 kinit 时,它起作用了:

~$ kinit -S http/[email protected] [email protected]
~$ klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: [email protected]

Valid starting       Expires              Service principal
2016-02-12 13:31:44  2016-02-12 23:31:44  http/[email protected]
    renew until 2016-02-13 13:31:41

~$ kinit http/[email protected]
~$ klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: http/[email protected]

Valid starting       Expires              Service principal
2016-02-12 13:30:58  2016-02-12 23:30:58  krbtgt/[email protected]
    renew until 2016-02-13 13:30:49

~$ kinit [email protected]
~$ klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: [email protected]

Valid starting       Expires              Service principal
2016-02-12 13:32:13  2016-02-12 23:32:13  krbtgt/[email protected]
    renew until 2016-02-13 13:32:09

kvno 是 3,但是管理员告诉我 Windows 中的 kvno 无关紧要。

kvno [email protected]
[email protected] kvno = 3

在 NaviServer Config 中定义:

ns_section ns/server/${server}/module/knspnego
ns_param Krb5KeyTabFile "/etc/staging.keytab"
ns_param Krb5ServiceName "[email protected]"
ns_param AuthType "SPNEGO"

主机名

hostname -f
staging.smth.else

您知道问题出在哪里吗?

答案1

我找到了解决方案。keytab 文件中的 /crypto 不适合我们的设置。它与 /crypto ALL 配合使用

答案2

我遇到了类似的问题。rc4-hmac用这些替换了加密类型:

arcfour-hmac
aes128-cts
aes256-cts
des-cbc-crc
des-cbc-md5

然后重新启动我的服务,解决了这个问题

相关内容