我尝试使用java执行kerberos身份验证。
我启用了调试。
尝试使用tgt连接到LDAP时,我正在获取(服务器名称已更改):
getRealmFromDNS: trying srv1.myserver.com
getRealmFromDNS: trying srv2.myserver.com
getRealmFromDNS: trying srv1.myserver.com
getRealmFromDNS: trying srv2.myserver.com
Found ticket for user@SUB.MYSERVER.COM to go to krbtgt/SUB.MYSERVER.COM@SUB.MYSERVER.COM expiring on Sat Dec 01 02:11:14
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
getRealmFromDNS: trying srv1.myserver.com
getRealmFromDNS: trying srv2.myserver.com
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 16 3 1.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KdcAccessibility: reset
getKDCFromDNS using UDP
>>> KrbKdcReq send: kdc=server123.myserver.com. UDP:88, timeout=30000, number of retries =3, #bytes=1542
>>> KDCCommunication: kdc=server123.myserver.com. UDP:88, timeout=30000,Attempt=1, #bytes=1542
SocketTimeOutException with attempt: 1
>>> KDCCommunication: kdc=server123.myserver.com. UDP:88, timeout=30000,Attempt=2, #bytes=1542
SocketTimeOutException with attempt: 2
>>> KDCCommunication: kdc=server123.myserver.com. UDP:88, timeout=30000,Attempt=3, #bytes=1542
SocketTimeOutException with attempt: 3
>>> KrbKdcReq send: error trying server123.myserver.com.
java.net.SocketTimeoutException: Receive timed out
at java.net.DualStackPlainDatagramSocketImpl.socketReceiveOrPeekData(Native Method)
at java.net.DualStackPlainDatagramSocketImpl.receive0(Unknown Source)
at java.net.AbstractPlainDatagramSocketImpl.receive(Unknown Source)
at java.net.DatagramSocket.receive(Unknown Source)
at sun.security.krb5.internal.UDPClient.receive(Unknown Source)
at sun.security.krb5.KdcComm$KdcCommunication.run(Unknown Source)
at sun.security.krb5.KdcComm$KdcCommunication.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.krb5.KdcComm.send(Unknown Source)
at sun.security.krb5.KdcComm.send(Unknown Source)
at sun.security.krb5.KdcComm.send(Unknown Source)
at sun.security.krb5.KrbTgsReq.send(Unknown Source)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at myApp.JndiAction.performJndiOperation(MyTest.java:577)
at myApp.JndiAction.run(MyTest.java:551)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at myApp.MyTest.main(MyTest.java:489)
>>> KdcAccessibility: add server123.myserver.com.
我的回答是:
从哪里获得kdc服务器(server123.myserver.com)?
我可以更改吗?
感谢。
答案 0 :(得分:1)
如果您不在Windows平台上,请搜索krb5.conf文件。有一个[realms]部分,其中提供了域和相关的KDC。
[realms]
YOURDOMAIN.com = {
kdc = dc1.yourdomain.com
}
在Windows平台上,Michael-O指出了特定的DNS记录。
答案 1 :(得分:0)
这是来自DNS(Kerberos的SRV记录)。如果可能,请您的管理员告知该服务器有故障并更正DNS条目。这不是Java问题。