0

CAS と Spnego サポートを使用し、KDC は 192.168.1.244、レルムは EXAMPLE.COM です。ローカル Windows ドメイン環境をテストし、Example.com からチケットを取得できます。「kinit」コマンドでテストしますが、CAS でspnego環境、Kerberosデータベースに見つからない例外クライアントがあり、C:\windows\krb5.iniで既に作成しています。次のようなコンテンツ

krb5.ini

[libdefaults]
   ticket_lifetime = 20000
   default_realm = EXAMPLE.COM
   dns_lookup_realm = true
   dns_lookup_kdc = false
   forwardable = yes
   default_tkt_enctypes = rc4-hmac
   default_tgs_enctypes = rc4-hmac


 [realms]
 # use "kdc =" if realm admins haven't put SRV records into DNS
    EXAMPLE.COM = {
            kdc = 192.168.1.244:88
            #admin_server = 192.168.1.244:749
            default_domain = EXAMPLE.COM         
    }

[domain_realm]
   .example.com = EXAMPLE.COM
   example = EXAMPLE.COM

[logging]
   kdc = CONSOLE

そして、次のような例外レポート:

Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Co
nfig is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
                [Krb5LoginModule] user entered username: HTTP/jack@EXAMPLE.COM

default etypes for default_tkt_enctypes: 23.
Acquire TGT using AS Exchange
>>> KdcAccessibility: reset
default etypes for default_tkt_enctypes: 23.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=192.168.1.244 UDP:88, timeout=30000, number of retries =3, #bytes=142
>>> KDCCommunication: kdc=192.168.1.244 UDP:88, timeout=30000,Attempt =1, #bytes=142
>>> KrbKdcReq send: #bytes read=96
>>> KrbKdcReq send: #bytes read=96
>>> KdcAccessibility: remove 192.168.1.244
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Tue Dec 31 15:32:08 CST 2013 1388475128000
         suSec is 348958
         error code is 6
         error Message is Client not found in Kerberos database
         realm is EXAMPLE.COM
         sname is krbtgt/EXAMPLE.COM
         msgType is 30
                [Krb5LoginModule] authentication failed
Client not found in Kerberos database (6)
jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException
        at jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
        at jcifs.spnego.Authentication.processSpnego(Authentication.java:346)
        at jcifs.spnego.Authentication.process(Authentication.java:235)
        at org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler.doAuthentication(JCIFSSpnegoAuthenticationHand
ler.java:70)
        at org.jasig.cas.authentication.handler.support.AbstractPreAndPostProcessingAuthenticationHandler.authenticate_aroundBody2(AbstractPreAndPostP
rocessingAuthenticationHandler.java:85)
       ...
Caused by: KrbException: Client not found in Kerberos database (6)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
        at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
        at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401)
        at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
        ... 176 more
Caused by: KrbException: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
        at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
        ... 180 more

しかし、kerberos データベースでクライアントが見つからないのはなぜですか? ローカルで kerberos を作成しないでください。ポイントのthx。

4

1 に答える 1