apache gss_acquire_cred 返回密钥表条目未找到错误
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/127324/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
gss_acquire_cred returning Key table entry not found error
提问by Vagnerr
I have been trying to follow the guidelines in this Microsoft articleto authenticate against Apache with Kerberos and AD. I have successfully tested the communication between the apache server and the AD server with kinit. However when I attempt to access a restricted page on the server with IE I get an Internal server error and the following appears in the apache error log.
我一直在尝试遵循这篇 Microsoft 文章中的指南,使用 Kerberos 和 AD 对 Apache 进行身份验证。我已经用kinit成功测试了apache服务器和AD服务器之间的通信。但是,当我尝试使用 IE 访问服务器上的受限页面时,我收到内部服务器错误,并且以下内容出现在 apache 错误日志中。
[Wed Sep 24 14:18:15 2008] [debug] src/mod_auth_kerb.c(1483): [client 172.31.37.38] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 24 14:18:15 2008] [debug] src/mod_auth_kerb.c(1174): [client 172.31.37.38] Acquiring creds for HTTP/[email protected]
[Wed Sep 24 14:18:15 2008] [error] [client 172.31.37.38] gss_acquire_cred() failed: Miscellaneous failure (see text) (Key table entry not found)
I have run a truss on the apache process and confirmed that it is in fact loading up the keytab file ok. I am wondering if there is something wrong with the format of the keytab file...
我已经在 apache 进程上运行了一个桁架,并确认它实际上正在加载 keytab 文件。我想知道keytab文件的格式是否有问题......
HTTP/[email protected]
I am not sure what I am missing though. Or what other things to check.
我不确定我错过了什么。或者还有什么要检查的。
Any suggestions?
有什么建议?
Thanks
谢谢
Peter
彼得
回答by davenpcj
Ok. Keytabs are supposed to contain the Service principal name, in this case "HTTP/[email protected]" and the encryption key. I see where the MS docs say just to echo that to a file, but I don't think that's right.
好的。密钥表应该包含服务主体名称,在本例中为“HTTP/[email protected]”和加密密钥。我看到 MS 文档所说的只是将其回显到文件中,但我认为这是不对的。
You'll need to use the ktpass utility to create the keytab. The MS docs are here.
您需要使用 ktpass 实用程序来创建密钥表。MS 文档在这里。
In particular, you'll need to specify KRB5_NT_SRV_HST, and most of the rest of the options can be default.
特别是,您需要指定KRB5_NT_SRV_HST,其余的大多数选项都可以是默认值。
Sample of it on my machine:
在我的机器上的示例:
C:\>ktpass /out test.keytab /princ HTTP/[email protected]
/ptype KRB5_NT_SRV_HST /pass *
Type the password for HTTP/srvnfssol1.dev.local:
Key created.
Output keytab to test.keytab:
Keytab version: 0x502
keysize 62 HTTP/[email protected]
ptype 3 (KRB5_NT_SRV_HST) vno 1 etype 0x1 (DES-CBC-CRC)
keylength 8 (0xa7f1fb38041c199e)
If the active directory server is the KDC, you'll need to use the /map <name>argument, where <name>is the computer account in active directory representing the server.
如果活动目录服务器是 KDC,您将需要使用/map <name>参数,其中<name>活动目录中的计算机帐户代表服务器。
Some details on how all this works. When you browse to the website it should respond with a WWW-Authenticate: Negotiate header, and your browser will send a request to the KDC (active directory server) to get a kerberos ticket for the service. The AD server will look up the encryption key for the ticket using the service principal name, and send an encrypted service ticket back to the browser. Once the browser has the service ticket, it'll reissue the HTTP request with an authenticate header containing the ticket. The apache server will look up its key in the keytab, decrypt the ticket, and grant access.
关于这一切如何运作的一些细节。当您浏览网站时,它应该以 WWW-Authenticate: Negotiate 标头响应,并且您的浏览器将向 KDC(活动目录服务器)发送请求以获取服务的 kerberos 票证。AD 服务器将使用服务主体名称查找票证的加密密钥,并将加密的服务票证发送回浏览器。一旦浏览器获得了服务票证,它就会重新发出带有包含该票证的身份验证标头的 HTTP 请求。apache 服务器将在密钥表中查找其密钥、解密票证并授予访问权限。
The "key table entry not found" error happens because apache isn't finding itself in the keytab. Can also happen if the name resolution/realms aren't set up right.
发生“未找到密钥表条目”错误是因为 apache 没有在密钥表中找到自己。如果名称解析/领域设置不正确,也可能发生。
You should be able to see all the kerberos requests AP-REQ/AP-REP/TGS-REQ/TGS-REP using wireshark on the client, tcp or udp port 88.
您应该能够在客户端、tcp 或 udp 端口 88 上使用 wireshark 看到所有 kerberos 请求 AP-REQ/AP-REP/TGS-REQ/TGS-REP。
