Java Keytab中的Kerberos用户主体和带有JAAS的KDC
我正在构建一个简单的Jaas登录模块。这将使用以下代码:Java Keytab中的Kerberos用户主体和带有JAAS的KDC,java,kerberos,jaas,Java,Kerberos,Jaas,我正在构建一个简单的Jaas登录模块。这将使用以下代码: public class Jaas { private static String name; private static final boolean verbose = false; public static void main(String[] args) throws Exception { if (args.length > 0) { name = arg
public class Jaas {
private static String name;
private static final boolean verbose = false;
public static void main(String[] args) throws Exception {
if (args.length > 0) {
name = args[0];
} else {
name = "client";
}
// Create action to perform
PrivilegedExceptionAction action = new MyAction();
loginAndAction(name, action);
}
static void loginAndAction(String name, PrivilegedExceptionAction action)
throws LoginException, PrivilegedActionException {
// Create a callback handler
CallbackHandler callbackHandler = new TextCallbackHandler();
LoginContext context = null;
try {
// Create a LoginContext with a callback handler
context = new LoginContext(name, callbackHandler);
// Perform authentication
context.login();
} catch (LoginException e) {
System.err.println("Login failed");
e.printStackTrace();
System.exit(-1);
}
// Perform action as authenticated user
Subject subject = context.getSubject();
if (verbose) {
System.out.println(subject.toString());
} else {
System.out.println("Authenticated principal: " +
subject.getPrincipals());
}
Subject.doAs(subject, action);
context.logout();
}
// Action to perform
static class MyAction implements PrivilegedExceptionAction {
MyAction() {
}
public Object run() throws Exception {
// Replace the following with an action to be performed
// by authenticated user
System.out.println("Performing secure action ...");
return null;
}
}
}
java -Djava.security.auth.login.config=jaas-krb5.conf Jaas client
client{
com.sun.security.auth.module.Krb5LoginModule required
principal="name@Host.COM";
};
server{
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
KeyTab=myKeyTab.keytab
principal="host.name.com";
};
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 4 name@Host.COM
Kerberos password for name@Host.COM: //I enter the password
Login failed
javax.security.auth.login.LoginException: Cannot get kdc for realm Host.COM
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at Jaas.loginAndAction(Jaas.java:77)
at Jaas.main(Jaas.java:61)
Caused by: KrbException: Cannot get kdc for realm Host.COM
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:195)
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:174)
at sun.security.krb5.KrbAsReq.send(KrbAsReq.java:431)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:400)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
我的目标是简单地将一个测试主体添加到keytab中,并将其用于运行此登录脚本。看起来您做出了一个错误的假设 主体是用户名+Kerberos域(或active directory域)。这可能与DNS域的值相同,也可能不同。但从根本上说,它们是完全不同的东西。在您的特定情况下,您的kerberos领域似乎是
intranet.barcapint.comname@host.com/etc/krb5.confc:\Windows\krb5.ini