我目前正在运行一台带有IPA和用户test_user的RHEL 6服务器,试图使用'Krb5LoginModule'登录模块进行身份验证我在这个问题的底部得到了例外。
但是 - 如果我添加系统属性-Dsun.security.krb5.debug=true
,则身份验证完成且没有错误 - 系统属性是故障方案和成功方案之间的唯一更改。
相同的用户名和密码在运行Java客户端的同一台机器上也可以在kinit中完美运行。
这是使用Oracle jdk1.6.0_32。
所以问题是当启用调试日志记录会改变登录过程的行为时,还有什么不同?目前,启用调试日志记录以了解故障不起作用,因为它本身导致它工作。
Exception in thread "main" javax.security.auth.login.LoginException: Integrity check on decrypted field failed (31) - PREAUTH_FAILED
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
at com.darranl.as.sasl.gssapi.KerberosLoginUtil.login(KerberosLoginUtil.java:50)
at com.darranl.as.sasl.gssapi.KerberosLoginUtil.main(KerberosLoginUtil.java:131)
Caused by: KrbException: Integrity check on decrypted field failed (31) - PREAUTH_FAILED
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:72)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:373)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
... 13 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
... 17 more