我正在尝试运行用于验证来自客户端的授权令牌的代码。 我在一个函数中编写了这段代码:
host = 'site_address'
state = None
service_name = f'HTTP@{host}'
try:
rc, state = kerberos.authGSSServerInit(service_name)
if rc != kerberos.AUTH_GSS_COMPLETE:
return None
rc = kerberos.authGSSServerStep(state, token) <<<<< !!! ERROR !!!
if rc == kerberos.AUTH_GSS_COMPLETE:
self.kerberos_token = kerberos.authGSSServerResponse(state)
self.kerberos_user = kerberos.authGSSServerUserName(state)
return rc
elif rc == kerberos.AUTH_GSS_CONTINUE:
return kerberos.AUTH_GSS_CONTINUE
else:
return None
except kerberos.GSSError as error:
LOGGER.error('Failed to perform the token verification due to %s', error)
return None
finally:
if state:
kerberos.authGSSServerClean(state)
但是代码在rc = kerberos.authGSSServerStep(state, token)处失败(在代码中标记了该行),并显示以下错误:
GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Request ticket server HTTP/<site_address>@<realm_name> kvno 4 found in keytab but not with enctype rc4-hmac', 100005))
还向屏幕抛出此错误:
[3302] 1547638447.877515: Failed to decrypt AP-REQ ticket: -1765328340/Request ticket server HTTP/base.testing.gc@TESTING.GC kvno 4 found in keytab but not with enctype rc4-hmac
我的问题是:为什么我会收到此消息?我在Active Directory中配置的用户已标记为启用This account supports Kerberos AES 256 bit encryption,并使用keytab编码类型创建了/crypto AES256-SHA1文件。
为什么我的服务器(ubuntu计算机上的docker-Ubuntu 18.04)尝试使用rc4-hmac加密对它进行解密?我该如何解决?
编辑,也许我的问题应该是:谁告诉我应该在哪个enctype中阅读keytab?
答案 0 :(得分:0)
对我来说,它是浏览器的trust configuration,应该将网站添加到浏览器的受信任的网站中(Internet选项->安全->本地Internet->网站->添加确切的端口, http / https 和**地址*)。
出于某种奇怪的原因,enctype的指令位于令牌的标头中……或者这种加密存在某种后备。