【问题标题】:JAAS - GSS: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)JAAS - GSS:未提供有效凭据(机制级别:找不到任何 Kerberos tgt)
【发布时间】:2022-11-10 00:24:06
【问题描述】:

我正在尝试运行 JGSS 的 initSecContext... 并失败(在 Fedora 35 上)。

我成功运行了第一个 kinit :

[pascal@zbook appClientModule]$ klist
Ticket cache: KCM:1000
Default principal: client@TEST.COM
Valid starting       Expires              Service principal
10/15/2022 12:56:10  10/16/2022 12:56:10  krbtgt/TEST.COM@TEST.COM
    renew until 10/15/2022 12:56:10

然后,我运行了一个测试程序,该程序基本上针对 JAAS 进行身份验证,在 GSS 中创建一个上下文 + 凭据并尝试建立一个上下文:

public static void main(String[] args) throws IOException  {
        
        System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
        System.setProperty("java.security.krb5.realm","TEST.COM"); 
        System.setProperty("java.security.krb5.kdc","zbook.home");
        System.setProperty("java.security.auth.login","/etc/security/login.conf");
        System.setProperty("java.security.auth.login.config", "/etc/kafka/jaas.conf");
        getArgs(args);
        
        
        // JAAS Authn
        LoginContext lc = null;
        try { lc = new LoginContext("JaasClient", new TextCallbackHandler()); }
        catch (LoginException le) { error("Cannot create login context: ", le,ERR_JAAS_CTXT); }
        catch (SecurityException se) { error("Cannot create login context (security): ", se,ERR_JAAS_CTXT); }
        try { lc.login(); } catch (LoginException le) { error("JAAS Authentication failed: ", le, ERR_LOGIN); }
        System.out.println("User authenticated (JAAS) - " + lc.getSubject());
        
        // Connect to server.
        Socket socket = new Socket(server,port);
        DataInputStream inStream = new DataInputStream(socket.getInputStream());
        DataOutputStream outStream = new DataOutputStream(socket.getOutputStream());
        System.out.println("Connected to server "+ socket.getInetAddress() + ":" + port);
        
        // Create a GSSContext for mutual authentication with the server.
        String ops = "";
        GSSContext context = null;
        try {
            Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
            ops="new OID";
            GSSManager manager = GSSManager.getInstance();
            ops="createName";
            GSSName serverName = manager.createName(principal, null);
            ops="createContext";
            context = manager.createContext(serverName,krb5Oid,null,GSSContext.DEFAULT_LIFETIME);
            context.requestMutualAuth(true);  // Mutual authentication
            context.requestConf(true);  // Will use confidentiality later
            context.requestInteg(true); // Will use integrity later
        } catch (GSSException e) { error(String.format("GSS internal error (%s):",ops),e,ERR_GSS); }
        System.out.println("Context created");
        
        // Context establishment loop
        byte[] token = new byte[0];
        while (!context.isEstablished()) {
            try {
                token = context.initSecContext(token, 0, token.length);
                System.out.println("Token generated");
            } catch (GSSException e) { error(String.format("GSS internal error (%s):","initSecContext"),e,ERR_GSS); }
        

该代码的输出是:

[pascal@zbook appClientModule]$ java tsn.jaas.gssClient 
Debug is  true storeKey false useTicketCache true useKeyTab true doNotPrompt false ticketCache is null isInitiator false KeyTab is null refreshKrb5Config is false principal is client tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is client@TEST.COM
null credentials from Ticket Cache
principal is client@TEST.COM
Will use keytab
Commit Succeeded 

User authenticated (JAAS) - Subject:
    Principal: client@TEST.COM

Connected to server localhost/127.0.0.1:2000
Context created
GSS internal error (initSecContext): :No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)

比我更有知识的人是否看到该代码中的错误? 更一般地说,我想知道 kerberos 缓存(密钥环)中的更改是否破坏了 API .... 任何输入都非常受欢迎。

【问题讨论】:

    标签: kerberos jaas jgss gss


    【解决方案1】:

    我会检查:

    • JVM 是否支持krb5.conf 中的includedir 指令?
    • JVM 是否支持KCM 凭证缓存类型?

    如果你export KRB5CCNAME=$(mktemp) && kinit && java ...,那么你的程序应该(假设JGSS 服从KRB5CCNAME 环境变量)能够在kinit 创建的临时文件中找到TGT。这将排除其他任何事情。

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2020-04-02
      • 1970-01-01
      • 2019-10-02
      • 2015-04-20
      • 1970-01-01
      • 1970-01-01
      • 2020-04-14
      • 1970-01-01
      相关资源
      最近更新 更多