spring-security-kerberos无法读取密钥表?
我正在尝试遵循本教程有关spring-security- kerberos 我有一个带有一个主体的密钥表:
I'm trying to follow this tutorial for spring-security-kerberos I have a keytab with one principal in it:
ktutil: rkt http-web.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM
此密钥表是使用以下命令在win 2k8域控制器上生成的:
This keytab was generated on a the win 2k8 domain controller with this command:
ktpass /out http-web.keytab /mapuser aulfeldt-hta-nightly@WAD.ENG.HYTRUST.COM /princ HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM /pass *
已复制到spnego.xml中使用的测试Web服务器上:
which was coppied over the the test web server used in spnego.xml:
<bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
<property name="servicePrincipal" value="HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM" />
<property name="keyTabLocation" value="/WEB-INF/http-web.keytab" />
<property name="debug" value="true" />
</bean>
但找不到主体:
Key for the principal HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM not available in
jndi:/localhost/spring-security-kerberos-sample-1.0.0.CI-SNAPSHOT/WEB-INF/http-web.keytab
[Krb5LoginModule] authentication failed
Unable to obtain password from user
我尝试将Web服务器(Centos 5.5,tomcat6)加入AD WAD.ENG.HYTRUST.COM,可以使用AD凭据登录,然后使用/etc/krb5.keytab中的委托人登录,以查看是否可以被阅读...同样的反应.我还在名称的大写和小写形式上尝试了很多变体.
I have tried joining the web server (Centos 5.5, tomcat6) to the AD WAD.ENG.HYTRUST.COM and can login using AD credentials and then using a principal from /etc/krb5.keytab just to see if it can be read... same response. I also tried lots of variants on uppercase and lowercaseing the names.
ps今天早上从git中检出了它.
ps checked it out from git this morning.
有几个错误导致无法从用户获取密码":
There're several mistakes that lead to "Unable to obtain password from user":
- 密钥表文件的位置指定不正确(就像@jasop一样
指出);它应该像
classpath:http-web.keytab或file:c:/http-web.keytabl - 错误指定的主体名称(即 与生成密钥表文件的实际文件不匹配) 密钥表文件路径中的
- 空格(请注意是否曾经 已修正),-在 SPRING SECURITY KERBEROS/SPNEGO EXTENSION SpringSource博客条目,并收到有关我的开发环境-Windows 7/Java 6的证据-必须始终考虑绝对路径(即使classtab引用的keytab没有空格)
- incorrectly specified localtion of keytab file (just like @jasop
pointed out); it should be something like
classpath:http-web.keytaborfile:c:/http-web.keytabl - incorrectly specified principal name (i.e., principal name that doesn't match the actual one, for which keytab file was generated)
- white spaces in a keytab file path (note sure if this has ever been fixed),- saw complaints in comments on SPRING SECURITY KERBEROS/SPNEGO EXTENSION SpringSource blog entry, and received evidence on my dev environment - Windows 7 / Java 6,- the absolute path must be considered at all times (even if keytab referenced by classpath with no spaces)