curl停止谈判SPNEGO - 未知的mech-code 0 for mech unknown

时间:2015-10-18 07:58:52

标签: http curl kerberos spnego

我尝试使用curl连接到SPNEGO安全网站(在Mac OS X 10.10上发送卷曲)

$curl -vv --negotiate -u : http://xxx-MacBook-Pro.local:8080 
* Rebuilt URL to: http://xxx-MacBook-Pro.local:8080/
*   Trying 192.168.1.6...
* Connected to xxx-MacBook-Pro.local (192.168.1.6) port 8080 (#0)
> GET / HTTP/1.1
> Host: xxx-MacBook-Pro.local:8080
> User-Agent: curl/7.43.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
* gss_init_sec_context() failed: : unknown mech-code 0 for mech unknown
< WWW-Authenticate: Negotiate
< Content-Type: application/json; charset=UTF-8
< Content-Length: 303
< 
* Connection #0 to host xxx-MacBook-Pro.local left intact

问题似乎是“gss_init_sec_context()失败::未知的mech-code 0 for mech unknown”。 curl看起来好像是用SPNEGO / GSS正确编译的?

curl 7.43.0 (x86_64-apple-darwin14.0) libcurl/7.43.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps     pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets 

编辑:HTTPie(this website)显示类似的行为。它在第一次服务器响应后停止。 服务器返回带有401响应的内容而不仅仅是标题是否重要?

GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: 192.168.1.6:8080
User-Agent: HTTPie/0.9.2



HTTP/1.1 401 Unauthorized
Content-Length: 209
Content-Type: application/json; charset=UTF-8
WWW-Authenticate: Negotiate

{
    "error": {
        "header": {
            "WWW-Authenticate": "Negotiate"
        }, 
        "reason": null, 
        "root_cause": [
            {
                "header": {
                    "WWW-Authenticate": "Negotiate"
                }, 
                "reason": null, 
                "type": "xxx"
            }
        ], 
        "type": "xxx"
    }, 
    "status": 401
}

如何让卷曲得到工作并使用正确的机械?

1 个答案:

答案 0 :(得分:2)

当我拥有有效的kerberos票证时,我能够重现这种行为。

> klist
Credentials cache: API:F8526791-7C98-45B7-87A0-8426165D376A
        Principal: me@DOMAIN.COM

  Issued    Expires    Principal

只要我通过 kinit 命令获得有效票证,验证就会按预期进行:

> kinit
> klist
Credentials cache: API:F90F79C6-6343-4462-BCD3-54F146FBDBCD
        Principal: me@DOMAIN.COM

  Issued                Expires               Principal
Sep  6 09:16:50 2016  Sep  6 19:16:50 2016  krbtgt/DOMAIN.COM@DOMAIN.COM