在Kerberos数据库中找不到客户端

时间:2013-12-31 07:56:18

标签: kerberos cas jcifs spnego

我使用CAS和Spnego支持,KDC是192.168.1.244,我的领域是EXAMPLE.COM  我测试我的本地Windows域环境,我可以从Example.com获得票证  我通过“kinit”命令测试它,但是在CAS spnego环境中,有一个异常客户端在Kerberos数据库中找不到,我已经在C:\ windows \ krb5.ini中创建了它,内容如下所示

krb5.ini 

[libdefaults]
   ticket_lifetime = 20000
   default_realm = EXAMPLE.COM
   dns_lookup_realm = true
   dns_lookup_kdc = false
   forwardable = yes
   default_tkt_enctypes = rc4-hmac
   default_tgs_enctypes = rc4-hmac


 [realms]
 # use "kdc =" if realm admins haven't put SRV records into DNS
    EXAMPLE.COM = {
            kdc = 192.168.1.244:88
            #admin_server = 192.168.1.244:749
            default_domain = EXAMPLE.COM         
    }

[domain_realm]
   .example.com = EXAMPLE.COM
   example = EXAMPLE.COM

[logging]
   kdc = CONSOLE

例外报告如下:

Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Co
nfig is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
                [Krb5LoginModule] user entered username: HTTP/jack@EXAMPLE.COM

default etypes for default_tkt_enctypes: 23.
Acquire TGT using AS Exchange
>>> KdcAccessibility: reset
default etypes for default_tkt_enctypes: 23.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.1.244 UDP:88, timeout=30000, number of retries =3, #bytes=142
>>> KDCCommunication: kdc=192.168.1.244 UDP:88, timeout=30000,Attempt =1, #bytes=142
>>> KrbKdcReq send: #bytes read=96
>>> KrbKdcReq send: #bytes read=96
>>> KdcAccessibility: remove 192.168.1.244
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Tue Dec 31 15:32:08 CST 2013 1388475128000
         suSec is 348958
         error code is 6
         error Message is Client not found in Kerberos database
         realm is EXAMPLE.COM
         sname is krbtgt/EXAMPLE.COM
         msgType is 30
                [Krb5LoginModule] authentication failed
Client not found in Kerberos database (6)
jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
        at jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
        at jcifs.spnego.Authentication.processSpnego(Authentication.java:346)
        at jcifs.spnego.Authentication.process(Authentication.java:235)
        at org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication(JCIFSSpnegoAuthenticationHand
ler.java:70)
        at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody2(AbstractPreAndPostP
rocessingAuthenticationHandler.java:85)
       ...
Caused by: KrbException: Client not found in Kerberos database (6)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
        at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
        at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401)
        at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
        ... 176 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
        at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
        ... 180 more

但为什么在kerberos数据库中找不到客户端? 不应该在我的本地创建kerberos? thx for point。

1 个答案:

答案 0 :(得分:0)

对我来说,发生此错误是因为我的Krb5LoginModule配置文件在接受部分中缺少以下参数:

isInitiator=false

没有这个论点,服务器也试图联系KDC并获得一张票 - 但这不应该发生 - 服务器应该没有必要联系KDC。

相关问题
最新问题