我已经安装了一个kerberos服务器。
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = SNSPRJ.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
SNSPRJ.COM = {
kdc = kerberos.snsprj.com
admin_server = kerberos.snsprj.com
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
.snsprj.com = SNSPRJ.COM
snsprj.com = SNSPRJ.COM
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
SNSPRJ.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
~
在kerberos客户端,我使用kinit xiaoxiao/admin@SNSPRJ.COM,它看得很清楚
[root@bogon ~]# kinit xiaoxiao/admin@SNSPRJ.COM
Password for xiaoxiao/admin@SNSPRJ.COM:
[root@bogon ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: xiaoxiao/admin@SNSPRJ.COM
Valid starting Expires Service principal
08/24/2017 13:51:18 08/25/2017 13:51:17 krbtgt/SNSPRJ.COM@SNSPRJ.COM
[root@bogon ~]#
但是当我使用JAAS来验证kerberos服务器时会出现一些错误消息: java.net.SocketTimeoutException:接收超时
我有tey telnet 192.168.1.196 88没关系。
bogon:jaas0822 skh$ telnet 192.168.1.196 88
Trying 192.168.1.196...
Connected to bogon.
Escape character is '^]'.
JAAS身份验证:http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/AcnOnly.html
我的代码:
import javax.security.auth.login.*;
import com.sun.security.auth.callback.TextCallbackHandler;
/**
* This JaasAcn application attempts to authenticate a user
* and reports whether or not the authentication was successful.
*
* Created by skh on 2017/8/22.
*/
public class JaasAcn {
public static void main(String[] args) {
String path = "/workspace/idea/ssm/src/test/java/com/snsprj/jaas0822/";
System.setProperty("java.security.auth.login.config", path + "jaas.conf");
// System.setProperty("java.security.krb5.conf", path + "krb5.conf");
System.setProperty("java.security.krb5.realm", "SNSPRJ.COM");
System.setProperty("java.security.krb5.kdc", "kerberos.snsprj.com");
System.setProperty("java.security.krb5.debug", "true");
// Obtain a LoginContext, needed for authentication. Tell it
// to use the LoginModule implementation specified by the
// entry named "JaasSample" in the JAAS login configuration
// file and to also use the specified CallbackHandler.
LoginContext lc = null;
try {
lc = new LoginContext("JaasSample", new TextCallbackHandler());
// attempt authentication
try {
lc.login();
} catch (LoginException le) {
le.printStackTrace();
System.err.println("Authentication failed:");
System.err.println(" " + le.getMessage());
System.exit(-1);
}
} catch (LoginException le) {
System.err.println("Cannot create LoginContext. " + le.getMessage());
} catch (SecurityException se) {
System.err.println("Cannot create LoginContext. " + se.getMessage());
System.exit(-1);
}
System.out.println("Authentication succeeded!");
}
}有什么担心吗?任何人都可以帮助我,非常想你!
答案 0 :(得分:2)
解决方案:使用TCP
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = SNSPRJ.COM
default_ccache_name = KEYRING:persistent:%{uid}
# insert by xiaohb 20170824 start
udp_preference_limit = 1
# insert by xiaohb 20170824 end