我在linux CentOS上有一个krb5数据库,我做了一个java客户端kerberos ......但他不从缓存中获取TGT ..无法导入空名是因为他没有找到票据缓存吗?使用Krb5LoginModule的JAAS身份验证将失败,并显示以下错误:
Debug is true storeKey false useTicketCache true useKeyTab true doNotPrompt false ticketCache is /tmp/krb5cc_0 isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is null
null credentials from Ticket Cache
Java config name: krb5.ini
Loaded from Java config
Looking for keys for: user1@KDC.COM
Key for the principal user1@KDC.COM not available in default key tab
[Krb5LoginModule] user entered username: user1
>>> KdcAccessibility: reset
default etypes for default_tkt_enctypes: 16.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=10.10.21.28 UDP:88, timeout=30000, number of retries =3, #bytes=122
>>> KDCCommunication: kdc=10.10.21.28 UDP:88, timeout=30000,Attempt =1, #bytes=122
>>> KrbKdcReq send: #bytes read=274
>>>Pre-Authentication Data:
PA-DATA type = 136
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 16, salt = KDC.COMuser1
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 16, salt = KDC.COMuser1, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 133
>>> KdcAccessibility: remove 10.10.21.28
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
cTime is Mon Jun 02 23:28:55 CEST 1986 518131735000
sTime is Fri Sep 15 12:22:05 CEST 2017 1505470925000
suSec is 562972
error code is 25
error Message is Additional pre-authentication required
cname is user1@KDC.COM
sname is krbtgt/KDC.COM@KDC.COM
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 136
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 16, salt = KDC.COMuser1
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 16, salt = KDC.COMuser1, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 133
KRBError received: NEEDED_PREAUTH
KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
default etypes for default_tkt_enctypes: 16.
default etypes for default_tkt_enctypes: 16.
>>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=10.10.21.28 UDP:88, timeout=30000, number of retries =3, #bytes=210
>>> KDCCommunication: kdc=10.10.21.28 UDP:88, timeout=30000,Attempt =1, #bytes=210
>>> KrbKdcReq send: #bytes read=685
>>> KdcAccessibility: remove 10.10.21.28
>>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
>>> KrbAsRep cons in KrbAsReq.getReply user1
principal is user1@KDC.COM
Commit Succeeded
GSSException: Cannot import null name
at sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:164)
at sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:151)
at sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:128)
at kerby.ClientKerberosAuthentication.initiateSecurityContext(ClientKerberosAuthentication.java:92)
at kerby.ClientKerberosAuthentication.main(ClientKerberosAuthentication.java:47)
There was an error during the security context initiation
我在根路径中为krb5 conf设置了setProperty:
[libdefaults]
default_realm = KDC.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 1000000
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
[realms]
KDC.COM = {
kdc = 10.10.21.28
admin_server = 10.10.21.28
default_domain = kdc.com
}
[domain_realm]
.kdc.com = KDC.COM
kdc.com = KDC.COM
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE=/var/log/kadm5.log
我的jaas.conf文件是这样的:
Client {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
debug=true
useTicketCache=true
ticketCache="/tmp/krb5cc_0";
};
我也分享我的客户端类:
public class Client {
static Oid krb5Oid;
public static void main( String[] args) {
// Oid mechanism = use Kerberos V5 as the security mechanism.
try {
krb5Oid = new Oid( "1.2.840.113554.1.2.2");
}
catch (GSSException e) {
System.err.println("Client: Error obtaining Kerberos V5 OID: " + e);
e.printStackTrace();
System.exit(-1);
}
// 1. Set up Kerberos properties.
Properties props = new Properties();
try {
props.load( new FileInputStream("client.properties"));
}
catch (IOException e) {
System.err.println("Client: Error opening properties file '"+props+"': " + e);
e.printStackTrace();
System.exit(-1);
}
System.setProperty( "sun.security.krb5.debug", "true");
System.setProperty( "java.security.auth.login.config", "./jaas.config");
System.setProperty( "javax.security.auth.useSubjectCredsOnly", "true");
System.setProperty("java.security.krb5.conf", "krb5.ini");
String username = props.getProperty( "client.principal.name");
String password = props.getProperty( "client.password");
// 2. Authenticate against the KDC using JAAS and return the Subject.
LoginContext loginCtx = null;
// "Client" references the corresponding JAAS configuration section in the jaas.conf file.
try {
loginCtx = new LoginContext("Client", new Krb5CallbackHandler(username, password));
loginCtx.login();
}
catch ( LoginException e) {
System.err.println("Client: There was an error during the JAAS login: " + e);
e.printStackTrace();
System.exit( -1);
}
Subject subject = loginCtx.getSubject();
// 3. Connect to service.
String hostName = "http://127.0.0.1";
int port = 22;
Socket socket = null;
try {
socket = new Socket(hostName,port);
}
catch (UnknownHostException e) {
e.printStackTrace();
System.err.println("Client: There was an error connecting to the server: hostname " + hostName + " not found.");
System.exit( -1);
}
catch (IOException e) {
e.printStackTrace();
System.err.println("Client: There was an error connecting to the server: " + e);
System.exit( -1);
}
final DataInputStream inStream;
final DataOutputStream outStream;
try {
inStream = new DataInputStream(socket.getInputStream());
outStream = new DataOutputStream(socket.getOutputStream());
// 4. Authenticate with service.
String servicePrincipalName = props.getProperty("service.principal.name");
GSSManager manager = GSSManager.getInstance();
GSSName serverName = null;
try {
serverName = manager.createName( servicePrincipalName, GSSName.NT_HOSTBASED_SERVICE);
}
catch (GSSException e) {
e.printStackTrace();
System.err.println("Client: There was an error in creating a name for the host-based service that we want to connect to.");
System.exit(-1);
}
System.out.println("Client: Initiating security context with serverName " + serverName);
try {
final GSSContext context = manager.createContext( serverName,
krb5Oid,
null,
GSSContext.DEFAULT_LIFETIME);
// The GSS context initiation has to be performed as a privileged action.
GSSContext serviceTicket = Subject.doAs( subject, new PrivilegedAction<GSSContext>() {
public GSSContext run() {
try {
context.requestMutualAuth( false);
context.requestCredDeleg( false);
int retval;
while(!context.isEstablished()) {
context.initSecContext(inStream,outStream);
}
return context;
}
catch (GSSException e) {
e.printStackTrace();
return null;
}
}
});
if (serviceTicket != null) {
System.out.println("Client obtained service ticket for service : " + servicePrincipalName);
}
else {
System.out.println("Client failed to obtain service ticket for service : " + servicePrincipalName);
System.exit(-1);
}
}
catch (GSSException e) {
e.printStackTrace();
System.exit(-1);
}
}
catch ( IOException e) {
e.printStackTrace();
System.err.println( "Client: There was an IO error");
System.exit( -1);
}
}
}
我为所有主机制作了kadm5.keytab,并使用以下语法传递:ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin / admin ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin / changepw < / p>
^E^B^@^@^@K^@^B^@^GKDC.COM^@^Fkadmin^@^Eadmin^@^@^@^AY½^T@^B^@^R^@ ó^?RT9p<9b>»TNi<93><95>ئ¯<8b><8e>rÿðfHW<95>^L^<97>bÃÏ^B^@^@^@^B^@^@^@;^@^B^@^GKDC.COM^@^Fkadmin^@^Eadmin^@^@^@^AY½^T@^B^@^Q^@^P<80>w.^X<92>õ²^U¤}AE¹#^O4^@^@^@^B^@^@^@C^@^B^@^GKDC.COM^@^Fkadmin^@^Eadmin^@^@^@^AY½^T@^B^@^P^@^X÷p^G¶#§<8a>¨<98>=n^U^\æp¿åýãanº¹^@^@^@^B^@^@^@;^@^B^@^GKDC.COM^@^Fkadmin^@^Eadmin^@^@^@^AY½^T@^B^@^W^@^P^P^QÖ_Ûã<88><94>\Ñ]¾<99>Ó<99> ^@^@^@^B^@^@^@K^@^B^@^GKDC.COM^@^Fkadmin^@^Eadmin^@^@^@^AY½^T@^B^@^Z^@ =êæ^Bg^N<95><86>}¦Ø©8
<8d>k·erT&1÷-×Ã-^±<9c>î^@^@^@^B^@^@^@;^@^B^@^GKDC.COM^@^Fkadmin^@^Eadmin^@^@^@^AY½^T@^B^@^Y^@^PH Õ@`Ñ^?2^B>ÖÚT:<93>¿^@^@^@^B^@^@^@3^@^B^@^GKDC.COM^@^Fkadmin^@^Eadmin^@^@^@^AY½^T@^B^@^H^@^H<8f>^MÓñIÐX<8c>^@^@^@^B^@^@^@3^@^B^@^GKDC.COM^@^Fkadmin^@^Eadmin^@^@^@^AY½^T@^B^@^C^@^H2n<8f>na«<9b>¹^@^@^@^B^@^@^@N^@^B^@^GKDC.COM^@^Fkadmin^@^Hchangepw^@^@^@^AY½^TH^B^@^R^@ ñ»<8b>¿¥Zâ<86>q
<H^?^R<80>à<9b>ødc,|<88>Fö(<8f>^SÓ>å®^@^@^@^B^@^@^@>^@^B^@^GKDC.COM^@^Fkadmin^@^Hchangepw^@^@^@^AY½^TH^B^@^Q^@^P<93><8f>}'@<88>Ne^T<99>E^@<8f>;¤<8a>^@^@^@^B^@^@^@F^@^B^@^GKDC.COM^@^Fkadmin^@^Hchangepw^@^@^@^AY½^TH^B^@^P^@^Xº^S<83>Ú<8f>Ç<83>ï^UL/ºn¨°d¤à¿^N«Ö@<94>^@^@^@^B^@^@^@>^@^B^@^GKDC.COM^@^Fkadmin^@^Hchangepw^@^@^@^AY½^TH^B^@^W^@^P^O#Ç^C6^S:<87><99>ÆÅ^S7F^F ^@^@^@^B^@^@^@N^@^B^@^GKDC.COM^@^Fkadmin^@^Hchangepw^@^@^@^AY½^TH^B^@^Z^@ eÉ©<8a>_ý ý^W$Êz<9e>%<84><86>Z°OÙ5<89>çÏÝ<8d>/<85>¥P<95>ë^@^@^@^B^@^@^@>^@^B^@^GKDC.COM^@^Fkadmin^@^Hchangepw^@^@^@^AY½^TH^B^@^Y^@^POw»lÈ^K<9a>^Xmë^P<8e>µ<9e>^\^N^@^@^@^B^@^@^@6^@^B^@^GKDC.COM^@^Fkadmin^@^Hchangepw^@^@^@^AY½^TH^B^@^H^@^HJ<89>@¼EµÓ^@^@^@^B^@^@^@6^@^B^@^GKDC.COM^@^Fkadmin^@^Hchangepw^@^@^@^AY½^TH^B^@^C^@^HE®Î<8c>§^?÷Ú^@^@^@^B
然后使用以下语法添加主体主机和krb5.keytab:ktadd -k /etc/krb5.keytab host / server.kdc.com
^E^B^@^@^@R^@^B^@^GKDC.COM^@^Dhost^@^Nserver.kdc.com^@^@^@^AY½^U]^B^@^R^@ »©<87>=àç<8c>ÿ^@^SÐs%$þ^YØ]^MÕg<8e>^R<8a>Z^S
Mè^U^Rü^@^@^@^B^@^@^@B^@^B^@^GKDC.COM^@^Dhost^@^Nserver.kdc.com^@^@^@^AY½^U]^B^@^Q^@^P<9b>^_
ë^H§O<88>Y\«¥:^G¤ÿ^@^@^@^B^@^@^@J^@^B^@^GKDC.COM^@^Dhost^@^Nserver.kdc.com^@^@^@^AY½^U]^B^@^P^@^X8a^A^G^Mn|<91>¤Â°|/FJãÁûÚÕ,|Lì^@^@^@^B^@^@^@B^@^B^@^GKDC.COM^@^Dhost^@^Nserver.kdc.com^@^@^@^AY½^U]^B^@^W^@^P¬Ë^^?ü^?'¢<9a>k5öÉá7ï^@^@^@^B^@^@^@R^@^B^@^GKDC.COM^@^Dhost^@^Nserver.kdc.com^@^@^@^AY½^U]^B^@^Z^@ >*ë^W9s^H^PhgÓ^E³^V½å© {ÛôG1^^h<80>È^Y7reó^@^@^@^B^@^@^@B^@^B^@^GKDC.COM^@^Dhost^@^Nserver.kdc.com^@^@^@^AY½^U]^B^@^Y^@^PÌ3ê("¦'×AX^YU<8d>^Q¤<95>^@^@^@^B^@^@^@:^@^B^@^GKDC.COM^@^Dhost^@^Nserver.kdc.com^@^@^@^AY½^U]^B^@^H^@^HTÓknÖb=#^@^@^@^B^@^@^@:^@^B^@^GKDC.COM^@^Dhost^@^Nserver.kdc.com^@^@^@^AY½^U]^B^@^C^@^Håôa^KåpÄ¿^@^@^@^B^@^@^@^@