Java GSSException:未提供有效凭据(机制级别:找不到任何 Kerberos tgt)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/33829017/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
提问by Krishna Kumar Chourasiya
I am very much new to the MOngoDB + Java Configuration. I am trying to achive the connection from remote mongodb server from Java application. I want to use GSSAPI mechanism for connection with mongotemplate. Below code has been executing successfully. Below code is from my configuration file.
我对 MONgoDB + Java 配置非常陌生。我正在尝试从 Java 应用程序的远程 mongodb 服务器实现连接。我想使用 GSSAPI 机制与 mongotemplate 连接。下面的代码已经成功执行。下面的代码来自我的配置文件。
List<ServerAddress> serverAddresses = new ArrayList<ServerAddress>();
ServerAddress address = new ServerAddress(host, port);
serverAddresses.add(address);
List<MongoCredential> credentials = new ArrayList<MongoCredential>();
MongoCredential credential = MongoCredential.createGSSAPICredential(userName);
credential.withMechanismProperty("SERVICE_NAME", gssapiServiceName);
credential.withMechanismProperty("CANONICALIZE_HOST_NAME", true);
credentials.add(credential);
return new MongoClient(serverAddresses, credentials);
But when I am trying execute below code I am getting exception
但是当我尝试执行下面的代码时,我收到了异常
DB db = mongoTemplate.getDb();
Set<String> dbCollections1 = db.getCollectionNames();
Exception:
例外:
GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147) at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122) at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:193) at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:427) at sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.java:62) at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:154) at com.mongodb.DBPort$GSSAPIAuthenticator.getGSSCredential(DBPort.java:622) at com.mongodb.DBPort$GSSAPIAuthenticator.createSaslClient(DBPort.java:593) at com.mongodb.DBPort$SaslAuthenticator.authenticate(DBPort.java:895) at com.mongodb.DBPort.authenticate(DBPort.java:432) at com.mongodb.DBPort.checkAuth(DBPort.java:443) at com.mongodb.DBTCPConnector.innerCall(DBTCPConnector.java:289) at com.mongodb.DBTCPConnector.call(DBTCPConnector.java:269) at com.mongodb.DBCollectionImpl.find(DBCollectionImpl.java:84) at com.mongodb.DB.command(DB.java:320) at com.mongodb.DB.command(DB.java:299) at com.mongodb.DB.command(DB.java:388) at com.mongodb.DBApiLayer.getCollectionNames(DBApiLayer.java:152)
GSSException:在 sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147) at sun.security.jgss.krb5.Krb5MechFactory.getCredentialFactory(Krb5M .java:122) at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:193) at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:427) at sun.security.jgss.GSSCredentialImpl.(GSSCredentialImpl.(GSSCredentialImpl.) .java:62) 在 sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:154) 在 com.mongodb.DBPort$GSSAPIAuthenticator.getGSSCredential(DBPort.java:622) 在 com.mongodb.DBPort$GSSAPIAuthenticator.createSaslClient( DBPort.java:593) 在 com.mongodb.DBPort$SaslAuthenticator.authenticate(DBPort.java:895) 在 com。com.mongodb.DBPort.authenticate(DBPort.java:432) com.mongodb.DBPort.checkAuth(DBPort.java:443) com.mongodb.DBTCPConnector.innerCall(DBTCPConnector.java:289) com.mongodb.DBTCPConnector.call (DBTCPConnector.java:269) at com.mongodb.DBCollectionImpl.find(DBCollectionImpl.java:84) at com.mongodb.DB.command(DB.java:320) at com.mongodb.DB.command(DB.java: 299) 在 com.mongodb.DB.command(DB.java:388) 在 com.mongodb.DBApiLayer.getCollectionNames(DBApiLayer.java:152)320) 在 com.mongodb.DB.command(DB.java:299) 在 com.mongodb.DB.command(DB.java:388) 在 com.mongodb.DBApiLayer.getCollectionNames(DBApiLayer.java:152)320) 在 com.mongodb.DB.command(DB.java:299) 在 com.mongodb.DB.command(DB.java:388) 在 com.mongodb.DBApiLayer.getCollectionNames(DBApiLayer.java:152)
回答by Krishna Kumar Chourasiya
Million thanks to all who have responded and take a look to my question.
百万感谢所有回答并查看我的问题的人。
After adding some System Properties and a new conf file, Finally I am able to get connected with MongoDB server. Herewith the updated code -
添加一些系统属性和一个新的 conf 文件后,我终于能够连接到 MongoDB 服务器。在此更新代码 -
try {
System.setProperty("java.security.krb5.conf","C:/mongodb/UnixKeytab/krb5.conf");
System.setProperty("java.security.krb5.realm","EXAMPLE.COM");
System.setProperty("java.security.krb5.kdc","example.com");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
System.setProperty("java.security.auth.login.config","C:/mongodb/UnixKeytab/gss-jaas.conf");
List<ServerAddress> serverAddresses = new ArrayList<ServerAddress>();
ServerAddress address = new ServerAddress(host, port);
serverAddresses.add(address);
List<MongoCredential> credentials = new ArrayList<MongoCredential>();
MongoCredential credential = MongoCredential.createGSSAPICredential(username);
credentials.add(credential);
MongoClient mongoClient1 = new MongoClient(serverAddresses, credentials);
DB db = mongoClient1.getDB(database);
} catch (UnknownHostException e) {
e.printStackTrace();
}
My krb5.conf file look like below -
我的 krb5.conf 文件如下所示 -
[libdefaults]
default_realm = EXAMPLE.COM
default_tkt_enctypes = des-cbc-md5 rc4-hmac
default_tgs_enctypes = des-cbc-md5 rc4-hmac
default_keytab_name = <keytab file path>
[realms]
EXAMPLE.COM = {
kdc = example.com
master_kdc = example.com
default_domain = EXAMPLE.COM
}
INTRANET = {
kdc = example.com
master_kdc = example.com
default_domain = example.com
}
My gss-jaas.conf look like below -
我的 gss-jaas.conf 如下所示 -
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
useTicketCache=false
principal="my-account@MY_REALM"
doNotPrompt=true
keyTab="path-to-my-keytab-file"
debug=true;};
Code I have posted is working for me. Hope this will work for others.
我发布的代码对我有用。希望这对其他人有用。
回答by gerritjvv
Adding some information to this post as its extremely useful already.
向这篇文章添加一些信息,因为它已经非常有用了。
If the Sasl/createSaslClientis not run within the Subject:doAsmethod
that is retrieved from the LoginContext, the credentials will not be picked up from the krb5.conffile. I.e the GSScode looks at the current thread's security manager for the Subjectwhich is registered via the Subject:doAsmethod, and then uses the credentials from this subject. This Subjectshould've been obtained via jaaswhich in turn would read the correct jaasand krb5.confcredentials, but if you do not run the sasland saslclientmethods inside the Subject:doAsmethod all this doesn't matter.
如果Sasl/createSaslClient不在Subject:doAs从 检索的方法中运行,则LoginContext不会从krb5.conf文件中获取凭据。即GSS代码查看当前线程的安全管理器以获取通过该Subject:doAs方法注册的主题,然后使用来自该主题的凭据。这Subject应该是通过jaas它获得的,反过来会读取正确的jaas和krb5.conf凭据,但是如果您不在方法中运行sasl和saslclient方法,Subject:doAs所有这些都无关紧要。
You can get around it by setting javax.security.auth.useSubjectCredsOnly=falsewhich means if no credentials can be found, some default names in the jaas file will be searched for see LoginConfigImpl.java#92, one is com.sun.security.jgss.initiate.
您可以通过设置javax.security.auth.useSubjectCredsOnly=false来绕过它,这意味着如果找不到凭据,将在 jaas 文件中搜索一些默认名称,参见LoginConfigImpl.java#92,一个是com.sun.security.jgss.initiate.
e.g
例如
com.sun.security.jgss.initiate{
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useTicketCache=true
useKeyTab=true
keyTab="mykeytab"
principal="service/host@REALM";
};
回答by Fabiano Tarlao
I faced the same error "Mechanism level: Failed to find any Kerberos tgt". My problem looks different from yours, but it could be useful to other ones with the same error.
我遇到了同样的错误“机制级别:找不到任何 Kerberos tgt”。我的问题看起来与你的不同,但它可能对其他有相同错误的人有用。
In my case it was caused by an error in writing the principal name in one of my configuration files.
在我的情况下,它是由在我的配置文件之一中写入主体名称时出错引起的。
I suggest to check the Jaas LoginManager configuration file (provided with java.security.auth.login.config) and policy files for principals. Typical error is the domain name in lowercase: [email protected] instead of [email protected]
我建议检查 Jaas LoginManager 配置文件(与 java.security.auth.login.config 一起提供)和主体的策略文件。典型的错误是小写的域名:[email protected] 而不是 [email protected]
In the case you set/refer to the principal programmatically, you can also check the principal name correctness in your code. Regards
如果您以编程方式设置/引用主体,您还可以检查代码中主体名称的正确性。问候
