Kerberos身份验证适用于特定节点,但不适用于域url:tomcat

时间:2020-05-28 10:23:23

标签: tomcat kerberos

我遇到这样的问题,我的kerberos身份验证正在工作,但是当我从特定节点切换到域URL时,它停止了身份验证。

工作原理:

krb5.ini: 

[libdefaults]
default_realm=INTL.FUMIGO-INTL.COM
default_keytab_name=FILE:/fumigo02/tomcat/fumigo02.keytab
default_tkt_enctypes=rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes=rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
no_addresses=true
dns_lookup_realm=true
dns_lookup_kdc=true

[realms]
INTL.FUMIGO-INTL.COM={
kdc=funigo302win.intl.fumigo-intl.com
default_domain=INTL.FUMIG-INTL.COM
}

[domain_realm]
intl.fumigo-intl.com=INTL.FUMIGO-INTL.COM
.intl.fumigo-intl.com=INTL.FUMIGO-INTL.COM

context.xml 

<Realm className="org.apache.catalina.realm.JNDIRealm"
        connectionURL="ldap://funigo302win.intl.fumigo-intl.com"
        userSubtree="true"
        userBase="DC=intl,DC=fumigo-intl,DC=com"
        userSearch="(sAMAccountName={0})"
        userRoleName="memberOf"
        roleBase="OU=FIL_Groups,DC=intl,DC=fumigo-intl,DC=com"
        roleName="cn"
        roleSearch="(member={0})"
        roleSubtree="true"
        roleNested="true"/>

但是,当我将其更改为负载均衡器或域URL时,它开始失败并显示错误:

krb5.ini 

[libdefaults]
default_realm=INTL.FUMIGO-INTL.COM
default_keytab_name=FILE:/fumigo02/tomcat/fumigo02.keytab
default_tkt_enctypes=rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes=rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
no_addresses=true
dns_lookup_realm=true
dns_lookup_kdc=true

[realms]
INTL.FUMIGO-INTL.COM={
kdc=kerberoskdc.intl.fumigo-intl.com:88
default_domain=INTL.FUMIG-INTL.COM
}

[domain_realm]
intl.fumigo-intl.com=INTL.FUMIGO-INTL.COM
.intl.fumigo-intl.com=INTL.FUMIGO-INTL.COM

context.xml 

<Realm className="org.apache.catalina.realm.JNDIRealm"
        connectionURL="ldap://kerberoskdc.intl.fumigo-intl.com:289"
        userSubtree="true"
        userBase="DC=intl,DC=fumigo-intl,DC=com"
        userSearch="(sAMAccountName={0})"
        userRoleName="memberOf"
        roleBase="OU=FIL_Groups,DC=intl,DC=fumigo-intl,DC=com"
        roleName="cn"
        roleSearch="(member={0})"
        roleSubtree="true"
        roleNested="true"/>

我们遇到的错误: 错误消息是在Kerberos数据库中找不到服务器 名称是ldap/kerberoskdc.intl.fumigo-intl.com@INTL.FUMIGO-INTL.COM

0 个答案:

没有答案
相关问题
最新问题