Active directory JAAS Kerberos没有像我预期的那样从keytab添加密钥
因此,我正在尝试为AIX服务器实现一个SSO/集成安全系统(所以是IBMJRE)。它使用Kerberos对AD进行身份验证 请记住,下面的数据是经过消毒的 命令my AD admin用于在AD服务器上创建密钥表文件(注意/kvno 2) 这是我的LoginModule的krb5Login.conf:Active directory JAAS Kerberos没有像我预期的那样从keytab添加密钥,active-directory,kerberos,aix,jaas,gssapi,Active Directory,Kerberos,Aix,Jaas,Gssapi,因此,我正在尝试为AIX服务器实现一个SSO/集成安全系统(所以是IBMJRE)。它使用Kerberos对AD进行身份验证 请记住,下面的数据是经过消毒的 命令my AD admin用于在AD服务器上创建密钥表文件(注意/kvno 2) 这是我的LoginModule的krb5Login.conf: krbServer { com.ibm.security.auth.module.Krb5LoginModule required credsType=acceptor
krbServer {
com.ibm.security.auth.module.Krb5LoginModule required
credsType=acceptor
refreshKrb5Config=true
principal="HTTP/local.domain.com"
useKeytab="/keytabs/krb5.keytab"
debug=true;
};
2) 为什么在调用上下文对象的login()方法时会发生这种情况
[JGSS_DBG_CRED] Thread-2 Attempting to add KeyTab to Subject for HTTP/local.domain.com@LOCALDOMAIN.NET
[JGSS_DBG_CRED] Thread-2 find keys for HTTP/local.domain.com@LOCALDOMAIN.NET
[KRB_DBG_KTAB] KeyTab:Thread-2: Added key: 23 version: 2
[KRB_DBG_KTAB] KeyTab:Thread-2: Ordering keys wrt default_tkt_enctypes list
[JGSS_DBG_CRED] Thread-2 No keys to add to Subject for HTTP/local.domain.com@LOCALDOMAIN.NET
OQCWPAADCGEC所以我的代币被拒绝了。我如何找出“原因”?我想我需要让广告团队了解到底发生了什么事。您是否尝试过手动测试kinit和SPN提供的密钥表?同样,在jaas.conf中,您可能会使用useKeyTab=true和keytab=“keytab\u文件名“。但这可能是您的IBM JDK特有的功能。您是否尝试过手动测试kinit和SPN提供的keytab?同样在jaas.conf中,您可能会使用useKeyTab=true和keyTab=“keyTab\u filename”。但这可能是您的IBM JDK特有的问题。我发现了其他任何有类似问题的人的问题 事实证明,OID不起作用 对检索服务器凭据的java代码进行以下更改修复了该问题:
serverCred = Subject.doAs(sub, new PrivilegedExceptionAction<GSSCredential>() {
public GSSCredential run() throws GSSException {
// mechanism OID for SPNEGO authentication
Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
// null name defaults to currently logged in name
GSSCredential cred = authManager.createCredential(null,
GSSCredential.INDEFINITE_LIFETIME,
spnegoOid,
GSSCredential.ACCEPT_ONLY);
cred.add(null,
GSSCredential.INDEFINITE_LIFETIME,
GSSCredential.INDEFINITE_LIFETIME,
new Oid("1.2.840.113554.1.2.2"),
GSSCredential.ACCEPT_ONLY);
return cred;
}
serverCred=Subject.doAs(sub,新的PrivilegedExceptionAction(){
public GSSCredential run()引发gssexException{
//SPNEGO身份验证的OID机制
Oid spnegoOid=新Oid(“1.3.6.1.5.5.2”);
//空名称默认为当前登录的名称
GSSCredential cred=authManager.createCredential(null,
GSSCredential.u寿命不定,
spnegoOid,
GSSCredential。仅接受_);
cred.add(空,
GSSCredential.u寿命不定,
GSSCredential.u寿命不定,
新Oid(“1.2.840.113554.1.2.2”),
GSSCredential。仅接受_);
回信;
}
附录:在进一步研究之后,我找到了一个关于这个问题的模糊参考,原因是“AIX中GSSCredential实现中的一些深层功能”。因此,您就知道了。我发现了其他任何有类似问题的人的问题 事实证明,OID不起作用 对检索服务器凭据的java代码进行以下更改修复了该问题:
serverCred = Subject.doAs(sub, new PrivilegedExceptionAction<GSSCredential>() {
public GSSCredential run() throws GSSException {
// mechanism OID for SPNEGO authentication
Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
// null name defaults to currently logged in name
GSSCredential cred = authManager.createCredential(null,
GSSCredential.INDEFINITE_LIFETIME,
spnegoOid,
GSSCredential.ACCEPT_ONLY);
cred.add(null,
GSSCredential.INDEFINITE_LIFETIME,
GSSCredential.INDEFINITE_LIFETIME,
new Oid("1.2.840.113554.1.2.2"),
GSSCredential.ACCEPT_ONLY);
return cred;
}
serverCred=Subject.doAs(sub,新的PrivilegedExceptionAction(){
public GSSCredential run()引发gssexException{
//SPNEGO身份验证的OID机制
Oid spnegoOid=新Oid(“1.3.6.1.5.5.2”);
//空名称默认为当前登录的名称
GSSCredential cred=authManager.createCredential(null,
GSSCredential.u寿命不定,
spnegoOid,
GSSCredential。仅接受_);
cred.add(空,
GSSCredential.u寿命不定,
GSSCredential.u寿命不定,
新Oid(“1.2.840.113554.1.2.2”),
GSSCredential。仅接受_);
回信;
}
附录:在进一步研究之后,我找到了一个关于这个问题的模糊参考,原因是“AIX中GSSCredential实现中的一些深层功能”。因此,您就有了它。我对那个微软并不熟悉
Constructor With Arg: krbServer Version: 1.7.0 Home: /dev/jre
LoginContext Constructed
[JGSS_DBG_CRED] Thread-2 JAAS config: debug=true
[JGSS_DBG_CRED] Thread-2 JAAS config: principal=HTTP/local.domain.com
[JGSS_DBG_CRED] Thread-2 JAAS config: credsType=accept only
[JGSS_DBG_CRED] Thread-2 config: useDefaultCcache=false (default)
[JGSS_DBG_CRED] Thread-2 config: useCcache=null
[JGSS_DBG_CRED] Thread-2 config: useDefaultKeytab=false
[JGSS_DBG_CRED] Thread-2 config: useKeytab=/keytabs/krb5.keytab
[KRB_DBG_CFG] Config:Thread-2: ConfigFile: /etc/krb5/krb5.conf
[JGSS_DBG_CRED] Thread-2 JAAS config: forwardable=false (default)
[JGSS_DBG_CRED] Thread-2 JAAS config: renewable=false (default)
[JGSS_DBG_CRED] Thread-2 JAAS config: proxiable=false (default)
[JGSS_DBG_CRED] Thread-2 JAAS config: tryFirstPass=false (default)
[JGSS_DBG_CRED] Thread-2 JAAS config: useFirstPass=false (default)
[JGSS_DBG_CRED] Thread-2 JAAS config: moduleBanner=false (default)
[JGSS_DBG_CRED] Thread-2 JAAS config: interactive login? no
[JGSS_DBG_CRED] Thread-2 JAAS config: refreshKrb5Config = true
[KRB_DBG_CFG] Config:Thread-2: ConfigFile: /etc/krb5/krb5.conf
[KRB_DBG_KDC] KdcComm:Thread-2: >>> KdcAccessibility: reset
[KRB_DBG_KDC] KdcComm:Thread-2: >>> KdcAccessibility: reset
[JGSS_DBG_CRED] Thread-2 Try keytab for principal=HTTP/local.domain.com
[KRB_DBG_KTAB] KeyTab:Thread-2Loading the keytab file ... >>> KeyTab: load() entry length: 73
[KRB_DBG_KTAB] KeyTableInputStream:Thread-2: >>> KeyTabInputStream, readName(): LOCALDOMAIN.NET
[KRB_DBG_KTAB] KeyTableInputStream:Thread-2: >>> KeyTabInputStream, readName(): HTTP
[KRB_DBG_KTAB] KeyTableInputStream:Thread-2: >>> KeyTabInputStream, readName(): local.domain.com
[KRB_DBG_KDC] EncryptionKey:Thread-2: >>> EncryptionKey: config default key type is rc4-hmac
[KRB_DBG_KTAB] KeyTab:Thread-2: Added key: 23 version: 2
[KRB_DBG_KTAB] KeyTab:Thread-2: Ordering keys wrt default_tkt_enctypes list
[JGSS_DBG_CRED] Thread-2 No Kerberos creds in keytab for principal HTTP/local.domain.com
[JGSS_DBG_CRED] Thread-2 Login successful
[JGSS_DBG_CRED] Thread-2 kprincipal : HTTP/local.domain.com@LOCALDOMAIN.NET
[JGSS_DBG_CRED] Thread-2 HTTP/local.domain.com@LOCALDOMAIN.NET added to Subject
[JGSS_DBG_CRED] Thread-2 Attempting to add KeyTab to Subject for HTTP/local.domain.com@LOCALDOMAIN.NET
[JGSS_DBG_CRED] Thread-2 find keys for HTTP/local.domain.com@LOCALDOMAIN.NET
[KRB_DBG_KTAB] KeyTab:Thread-2: Added key: 23 version: 2
[KRB_DBG_KTAB] KeyTab:Thread-2: Ordering keys wrt default_tkt_enctypes list
[JGSS_DBG_CRED] Thread-2 No keys to add to Subject for HTTP/local.domain.com@LOCALDOMAIN.NET
LoginContext login() method executed
LoginContext getSubject() method executed
Subject doAs() method executed, serverCred Name: default Lifetime: 2147483647
[JGSS_DBG_CRED] Thread-2 KeyTab is removed from subject
[JGSS_DBG_CRED] Thread-2 KerberosKey Kerberos Principal HTTP/local.domain.com@LOCALDOMAIN.NETKey Version 2key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: <MASKED>
public String validate(String encToken) {
byte[] token = Base64.decode(encToken);
GSSContext authContext;
try {
authContext = authManager.createContext(serverCred);
authContext.acceptSecContext(token, 0, token.length);
if (authContext.isEstablished()) {
return authContext.getSrcName().toString();
}
} catch (GSSException e) {
// fall through to the return
}
return null;
}
}
[JGSS_DBG_CRED] Thread-2 Attempting to add KeyTab to Subject for HTTP/local.domain.com@LOCALDOMAIN.NET
[JGSS_DBG_CRED] Thread-2 find keys for HTTP/local.domain.com@LOCALDOMAIN.NET
[KRB_DBG_KTAB] KeyTab:Thread-2: Added key: 23 version: 2
[KRB_DBG_KTAB] KeyTab:Thread-2: Ordering keys wrt default_tkt_enctypes list
[JGSS_DBG_CRED] Thread-2 No keys to add to Subject for HTTP/local.domain.com@LOCALDOMAIN.NET
serverCred = Subject.doAs(sub, new PrivilegedExceptionAction<GSSCredential>() {
public GSSCredential run() throws GSSException {
// mechanism OID for SPNEGO authentication
Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
// null name defaults to currently logged in name
GSSCredential cred = authManager.createCredential(null,
GSSCredential.INDEFINITE_LIFETIME,
spnegoOid,
GSSCredential.ACCEPT_ONLY);
cred.add(null,
GSSCredential.INDEFINITE_LIFETIME,
GSSCredential.INDEFINITE_LIFETIME,
new Oid("1.2.840.113554.1.2.2"),
GSSCredential.ACCEPT_ONLY);
return cred;
}