curl with--negotiate/Kerberos不'；好像不行_Curl_Kerberos_Spnego

curl with--negotiate/Kerberos不'；好像不行

curl

curl with--negotiate/Kerberos不'；好像不行,curl,kerberos,spnego,Curl,Kerberos,Spnego,我尝试将curl与Kerberos结合使用（针对TM1）。中的答案似乎很有帮助，但对我来说仍然不起作用 curl 7.29.0和GSS协商不成功我跟着火车走但对我来说，这似乎不起作用： $curl -ik -vvv --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt https://mytm1server/api/v1/Configuration * About to connect() to mytm1server port 80

我尝试将curl与Kerberos结合使用（针对TM1）。中的答案似乎很有帮助，但对我来说仍然不起作用

curl 7.29.0和GSS协商不成功我跟着火车走

但对我来说，这似乎不起作用：

$curl -ik -vvv --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt https://mytm1server/api/v1/Configuration
* About to connect() to mytm1server port 80 (#0)
*   Trying 10.48.199.126...
* Connected to mytm1server (10.10.100.100) port 80 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
*       subject: CN=TM1Server,OU=TM1,O=www.ibm.com,C=US
*       start date: Mar 31 18:50:22 2015 GMT
*       expire date: Mar 27 18:50:22 2035 GMT
*       common name: TM1Server
*       issuer: CN=TM1Server,OU=TM1,O=www.ibm.com,C=US
* Server auth using Basic with user ''
> GET /api/v1/Configuration HTTP/1.1
> Authorization: Basic Og==
> User-Agent: curl/7.29.0
> Host: mytm1server:80
> Accept: */*
> Cookie: TM1SessionId=iJiQkqUDOEmdvN6A6_tHfQ
>
< HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
< Content-Type: text/plain
Content-Type: text/plain
< Content-Length: 0
Content-Length: 0
< Connection: keep-alive
Connection: keep-alive
< OData-Version: 4.0
OData-Version: 4.0
* gss_init_sec_context() failed: : Success
< WWW-Authenticate: Negotiate, Basic realm="TM1"
WWW-Authenticate: Negotiate, Basic realm="TM1"

<
* Connection #0 to host mytm1server left intact

也没有成功：

$curl -ik --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt https://mytm1server/api/v1/Configuration
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive
OData-Version: 4.0
WWW-Authenticate: Negotiate, Basic realm="TM1"

curl 7.48.0和GSS-API以及SPNEGO没有成功在使用curl 7.48.0的另一台机器上，我遵循了的说明，除了我尝试在没有键表文件的情况下使用（我们没有可用的键表文件）：
当然，现在有人可能会问，是否允许用户登录。但是使用TM1的官方客户端，集成登录可以完美地工作
是否有人看到了问题所在，或者知道如何获取更多调试信息
更新#1

我发现，它似乎做了完全相同的事情。然而，我注意到服务器用
WWW-Authenticate:Negotiate
响应，而TM1用
WWW-Authenticate:Negotiate，Basic realm=“TM1”
响应。因此，我构建了一个虚拟应用程序来模拟这两种情况，并猜测我发现了什么：在仅协商的情况下，curl正确地发送了第二个请求。然而，在TM1的情况下，它并没有。
事实证明，从服务器响应中的7.64.0逗号分隔HTTP头值开始
所以这不起作用：

WWW-Authenticate: Negotiate, Basic realm="TM1"
虽然这样做：

WWW-Authenticate: Negotiate

我建议您使用
curl
和服务器之间的
-trace ascii
filename
检查质询/响应的每个步骤。如果问题显然不是客户端问题（或DNS问题），那么请检查服务器日志——即，如果服务器明确拒绝Kerberos令牌，请查找一些线索。Kerberos有点偏执。默认的终端输出没有提供太多的细节。请您在详细模式-vvv下运行curl并共享输出。谢谢，我添加了
-vvv
的输出。到目前为止，我在服务器日志中看到的只是HTTP 401响应。我需要检查是否可以启用更多日志记录。
$ curl --version curl 7.61.1 (x86_64-redhat-linux-gnu) libcurl/7.61.1 OpenSSL/1.1.1c zlib/1.2.11 brotli/1.0.6 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh/0.8.5/openssl/zlib nghttp2/1.33.0 Release-Date: 2018-09-05 Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz brotli TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL Metalink $/usr/share/centrifydc/kerberos/bin/kinit myuser Password for myuser@MYREALM: $/usr/share/centrifydc/kerberos/bin/klist Ticket cache: FILE:/tmp/krb5cc_100123 Default principal: myuser@MYREALM Valid starting Expires Service principal 01/24/2020 15:19:34 01/25/2020 01:19:34 krbtgt/MYREALM@MYREALM renew until 01/25/2020 15:19:31 $curl -ik --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt https://mytm1server/api/v1/Configuration * Trying 10.10.100.100... * TCP_NODELAY set * Connected to mytm1server (10.10.100.100) port 80 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / AES128-GCM-SHA256 * ALPN, server did not agree to a protocol * Server certificate: * subject: C=US; O=www.ibm.com; OU=TM1; CN=TM1Server * start date: Mar 31 18:50:22 2015 GMT * expire date: Mar 27 18:50:22 2035 GMT * issuer: C=US; O=www.ibm.com; OU=TM1; CN=TM1Server * SSL certificate verify result: self signed certificate (18), continuing anyway. > GET /api/v1/Configuration HTTP/1.1 > Host: mytm1server:80 > User-Agent: curl/7.61.1 > Accept: */* > Cookie: TM1SessionId=m0uTI8ceIVM2TamOFMxPHg > < HTTP/1.1 401 Unauthorized HTTP/1.1 401 Unauthorized < Content-Type: text/plain Content-Type: text/plain < Content-Length: 0 Content-Length: 0 < Connection: keep-alive Connection: keep-alive < OData-Version: 4.0 OData-Version: 4.0 < WWW-Authenticate: Negotiate, Basic realm="TM1" WWW-Authenticate: Negotiate, Basic realm="TM1" < * Connection #0 to host mytm1server left intact

$export KRB5CCNAME=/tmp/krb5cc_100123 $curl -ik -u : -b ~/cookiejar.txt -c ~/cookiejar.txt https://mytm1server/api/v1/Configuration HTTP/1.1 401 Unauthorized Content-Type: text/plain Content-Length: 0 Connection: keep-alive Set-Cookie: TM1SessionId=mGR4OPSynQmCBIRd_B_L7g; Path=/api/; HttpOnly; Secure WWW-Authenticate: Negotiate, Basic realm="TM1"

WWW-Authenticate: Negotiate, Basic realm="TM1"

WWW-Authenticate: Negotiate