GSSException:尝试使用kerberos票证进行身份验证时,找不到以下凭证:1.2.840.113554.1.2.2

时间:2019-02-09 18:09:02

标签: python jenkins kerberos

我正在尝试通过Python request_negotiate身份验证到配置为使用Kerberos SSO的Jenkins实例。身份验证失败,下面报告的堆栈跟踪显示在服务器端。

klist确认我有有效的票证。我可以使用启用了GSS-API Kerberos SPNEGO功能的内部版本成功使用cURL 7.59.0进行身份验证:

curl --negotiate --user : -k --verbose https://myjenkins.example.com/

我也尝试过requests_gssapi.HTTPSPNEGOAuth(),但失败的原因与requests_negotiate相同。

关于调试此问题的任何建议,我们将不胜感激。对我来说这是陌生的领域。

我的Python代码:

import requests
import requests_negotiate

auth = requests_negotiate.HTTPNegotiateAuth()
response = requests.get('https://myjenkins.example.com', auth=auth, verify=False)
print (response.content)

出现在服务器上的堆栈跟踪:

GSSException: No credential found for: 1.2.840.113554.1.2.2 usage: Accept
    at sun.security.jgss.GSSCredentialImpl.getElement(GSSCredentialImpl.java:600)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:317)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
    at org.codelibs.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:443)
    at org.codelibs.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:281)
    at com.sonymobile.jenkins.plugins.kerberossso.ioc.SpnegoKerberosAuthenticationFactory$SpnegoKerberosAuthenticator.authenticate(SpnegoKerberosAuthenticationFactory.java:89)
Caused: java.io.IOException
    at com.sonymobile.jenkins.plugins.kerberossso.ioc.SpnegoKerberosAuthenticationFactory$SpnegoKerberosAuthenticator.authenticate(SpnegoKerberosAuthenticationFactory.java:91)
    at com.sonymobile.jenkins.plugins.kerberossso.KerberosSSOFilter.doFilter(KerberosSSOFilter.java:182)
    at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
    at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:232)
    at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:209)
    at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
    at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:113)
    at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
    at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
    at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:132)
    at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:138)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:49)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
    at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:92)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
    at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
    at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:553)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
    at org.eclipse.jetty.server.Server.handle(Server.java:499)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
    at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)
    at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)

詹金斯:2.60.3 要求:2.20.0 请求协商:1.5

1 个答案:

答案 0 :(得分:0)

使用npm kerberos软件包时,我遇到了相同的错误,我通过明确要求SPNEGO协议解决了该错误,因为错误消息指出Kerberos票证中缺少该协议的凭据。您说它适用于curl和SPNEGO,但不适用于request_negotiate.HTTPNegotiateAuth()或request_gssapi.HTTPSPNEGOAuth()。我从文档或源代码中看不到requests_negotiate使用哪种机制,因此我现在将坚持使用requests_gssapi,这也大量使用了日志记录。您从那条日志中得到哪些日志消息?

我觉得这更多是评论,但我没有评论的声誉。