sho*_*000 3 windows-server-2008 kerberos single-sign-on apache-2.2 gssapi
我正在尝试创建一个密钥表文件。我看到一条警告
WARNING: pType and account type do not match. This might cause problems.
我使用的命令是
ktpass -princ HTTP/bloodhound.domain.com@DOMAIN.COM -mapuser ldaplookup@domain.com -crypto rc4-hmac-nt -pass **** -ptype KRB5_NT_SRV_HST -out "C:\Documents and Settings\Administrator\bloodhound.kytab"
我想在 apache 上使用它进行 SSO。我在 Windows Server 2003 r2 sp2 上创建这个
输出
Targeting domain controller: fezziwig.uk.domain.com
Using legacy password setting method
Successfully mapped HTTP/bloodhound.domain.com to ldaplookup.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to C:\Documents and Settings\Administrator.UK-GGS-DOMAIN\bloodhound.keytab:
Keytab version: 0x502
keysize 82 HTTP/bloodhound.domain.com@DOMAIN.COM ptype 3 (KRB5_NT_SRV_HST) vno 14 etype 0x17 (RC4-HMAC) keylength 16 (0xde184005d851613980cffb9580bdd193)
我遵循了许多与http://www.zimbra.com/docs/os/7.2.3/administration_guide/wwhelp/wwhimpl/common/html/wwhelp.htm#href=7.2.3_Open_Source_admin.Create_the_Kerberos_Keytab_File.html&single相同的步骤=真
但没有一个不起作用。当我用 kvno 测试时,我得到了以下结果
[root@portal-test conf]# klist -ke bloodhound1.keytab
Keytab name: FILE:bloodhound1.keytab
KVNO Principal
---- --------------------------------------------------------------------------
27 HTTP/bloodhound.domain.com@DOMAIN.COM (ArcFour with HMAC/md5)
[root@portal-test conf]# kvno HTTP/bloodhound.domain.com@DOMAIN.COM
kvno: Server not found in Kerberos database while getting credentials for HTTP/bloodhound.domain.com@DOMAIN.COM
更新
我想使用 url http://cobra.woking/访问网络服务器
我在 Windows Server 2008 R2 标准中输入了以下命令
ktpass -princ HTTP/cobra.woking@spectrumasa.com -mapuser ldaplookup@spectrumasa.com -crypto rc4-hmac-nt -pass password -ptype KRB5_NT_SRV_HST -out "C:\Temp\cobra.kytab" -ptype KRB5_NT_PRINCIPAL
Targeting domain controller: echo.spectrumasa.com
Successfully mapped HTTP/cobra.woking to ldaplookup.
Password succesfully set!
Key created.
Output keytab to C:\Temp\cobra.kytab:
Keytab version: 0x502
keysize 68 HTTP/cobra.woking@spectrumasa.com ptype 1 (KRB5_NT_PRINCIPAL) vno 33 etype 0x17 (RC4-HMAC
) keylength 16 (0xde184005d851613980cffb9580bdd193)
将文件复制到网络服务器。将网络服务器配置更新为:
<Directory /opt/html/trac>
AuthType Kerberos
AuthName KerberosLogin
KrbServiceName HTTP/cobra.woking
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms SPECTRUMASA.COM
Krb5KeyTab /tmp/cobra.kytab
AuthLDAPURL ldap://ldapauth.spectrumasa.com/ou=TechSupport,ou=Woking,ou=Sites,dc=spectrumasa,dc=com?userPrincipalName
AuthLDAPBindDN cn=ldaplookup,cn=Users,dc=spectrumasa,dc=com
AuthLDAPBindPassword password
#require valid-user
Require ldap-group cn=support,cn=Users,dc=spectrumasa,dc=com
ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/intranet/info/unauthorized\"></html>"
</Directory>
测试密钥表
klist -ke cobra.kytab
Keytab name: FILE:cobra.kytab
KVNO Principal
---- --------------------------------------------------------------------------
33 HTTP/cobra.woking@spectrumasa.com (arcfour-hmac)
kvno HTTP/cobra.woking@spectrumasa.com
kvno: Ticket expired while getting credentials for HTTP/cobra.woking@spectrumasa.com
当访问 url 时,我在 ie 中得到,但在 firefox 中我得到密码提示,然后它就可以工作了。
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ), referer: http://cobra.woking/trac/
我该如何解决?
我已经有一个intranet适用于此服务器的密钥表文件
[root@cobra conf]# klist -ke intranet.keytab
Keytab name: FILE:intranet.keytab
KVNO Principal
---- --------------------------------------------------------------------------
8 HTTP/intranet.spectrumasa.com@SPECTRUMASA.COM (arcfour-hmac)
[root@cobra conf]# kvno HTTP/intranet.spectrumasa.com@SPECTRUMASA.COM
kvno: Ticket expired while getting credentials for HTTP/intranet.spectrumasa.com@SPECTRUMASA.COM
第二次更新
我使用以下命令再次重新创建了密钥表
ktpass -princ HTTP/cobra@SPECTRUMASA.COM -mapuser ldaplookup@spectrumasa.com -crypto rc4-hmac-nt -pass password -out "C:\Temp\cobra1.keytab" -ptype KRB5_NT_PRINCIPAL
在我的 DNS 中我有
cobra A 172.16.0.216
在阿帕奇我有
KrbServiceName HTTP/cobra
Krb5KeyTab /etc/httpd/conf/cobra1.keytab
当我尝试访问时,http::/cobra/trac我被要求输入密码 3 次。日志显示
在网址上输入。第一密码提示显示SPECTRUM/user
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, )
第二次密码提示显示COBRA/user和日志显示
gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error)
第三个密码提示我必须输入用户名和密码,它可以工作。
我已将http://cobra和添加http://cobra.spectrumasa.com到 ie 受信任站点。
输出中出现的错误是因为您没有将 SPN 映射到主体。您应该使用 ptype 开关-ptype KRB5_NT_PRINCIPAL以避免错误。
KRB5_NT_PRINCIPAL 是Microsoft 文档中的一般主体类型(推荐)。
| 归档时间: |
|
| 查看次数: |
13980 次 |
| 最近记录: |