java pass can not be_java – 校验和失败:Kerberos / Spring / Active Directory(2008)
问题似乎在关键表中.有一些动作序列导致某些特定的keytab文件状态:
(A)keytab适用于Java但不适用于k5start / kinit;
(B)keytab不适用于Java,但适用于k5start / kinit;
(C)keytab适用于它们.
简短的Java代码,允许检查Java是否可以使用keytab文件进行身份验证:
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import javax.security.auth.Subject;
import com.sun.security.auth.module.Krb5LoginModule;
/**
* This is simple Java program that tests ability to authenticate
* with Kerberos using the JDK implementation.
*
* The program uses no libraries but JDK itself.
*/
public class Krb {
private void loginImpl(final String propertiesFileName) throws Exception {
System.out.println("NB: system property to specify the krb5 config: [java.security.krb5.conf]");
//System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
System.out.println(System.getProperty("java.version"));
System.setProperty("sun.security.krb5.debug", "true");
final Subject subject = new Subject();
final Krb5LoginModule krb5LoginModule = new Krb5LoginModule();
final Map optionMap = new HashMap();
if (propertiesFileName == null) {
//optionMap.put("ticketCache", "/tmp/krb5cc_1000");
optionMap.put("keyTab", "/etc/krb5.keytab");
optionMap.put("principal", "foo"); // default realm
optionMap.put("doNotPrompt", "true");
optionMap.put("refreshKrb5Config", "true");
optionMap.put("useTicketCache", "true");
optionMap.put("renewTGT", "true");
optionMap.put("useKeyTab", "true");
optionMap.put("storeKey", "true");
optionMap.put("isInitiator", "true");
} else {
File f = new File(propertiesFileName);
System.out.println("======= loading property file ["+f.getAbsolutePath()+"]");
Properties p = new Properties();
InputStream is = new FileInputStream(f);
try {
p.load(is);
} finally {
is.close();
}
optionMap.putAll((Map)p);
}
optionMap.put("debug", "true"); // switch on debug of the Java implementation
krb5LoginModule.initialize(subject, null, new HashMap(), optionMap);
boolean loginOk = krb5LoginModule.login();
System.out.println("======= login: " + loginOk);
boolean commitOk = krb5LoginModule.commit();
System.out.println("======= commit: " + commitOk);
System.out.println("======= Subject: " + subject);
}
public static void main(String[] args) throws Exception {
System.out.println("A property file with the login context can be specified as the 1st and the only paramater.");
final Krb krb = new Krb();
krb.loginImpl(args.length == 0 ? null : args[0]);
}
}
,以及要使用的属性文件:
#ticketCache=/tmp/krb5cc_1000
keyTab=/etc/krb5.keytab
principal=foo
doNotPrompt=true
refreshKrb5Config=true
useTicketCache=true
renewTGT=true
useKeyTab=true
storeKey=true
isInitiator=true
(下面我们假设krb / kdc已正确安装和配置,数据库是用kdb5_util创建的.每个命令序列的起始状态是:删除keytab文件,删除令牌缓存,从数据库中删除用户“foo”. )
以下操作序列将导致keytab状态(A):
$echo -e "foo\nfoo" | kadmin.local -q "addprinc foo"
$echo -e "foo\nfoo" | kadmin.local -q "ktadd foo"
$java -cp . Krb ./krb5.properties
# Now java auth okay, but the following command fails:
$k5start foo
Kerberos initialization for foo@EXAMPLE.COM
Password for foo@EXAMPLE.COM:
k5start: error getting credentials: Decrypt integrity check failed
$
以下操作序列将导致keytab状态(B):
$echo -e "foo\nfoo" | kadmin.local -q "addprinc foo"
$echo -e "foo\nfoo" | kadmin.local -q "ktadd foo"
$echo -e "foo\nfoo" | kadmin.local -q "cpw foo"
$java -cp . Krb ./krb5.properties
A property file with the login context can be specified as the 1st and the only paramater.
NB: system property to specify the krb5 config: [java.security.krb5.conf]
1.6.0_33
======= loading property file [/tmp/krb-test/yhadoop-common/./krb5.properties]
Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /etc/krb5.keytab refreshKrb5Config is true principal is foo tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Config name: /etc/krb5.conf
>>> KdcAccessibility: reset
>>> KdcAccessibility: reset
Acquire TGT from Cache
>>>KinitOptions cache name is /tmp/krb5cc_0
Principal is foo@EXAMPLE.COM
null credentials from Ticket Cache
>>> KeyTabInputStream, readName(): EXAMPLE.COM
>>> KeyTabInputStream, readName(): foo
>>> KeyTab: load() entry length: 49; type: 23
Added key: 23version: 3
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23.
0: EncryptionKey: keyType=23 kvno=3 keyValue (hex dump)=
0000: 5F 7F 9B 42 BB 02 51 81 32 05 1D 7B C0 9F 19 C0 _..B..Q.2.......
principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=localhost UDP:88, timeout=30000, number of retries =3, #bytes=128
>>> KDCCommunication: kdc=localhost UDP:88, timeout=30000,Attempt =1, #bytes=128
>>> KrbKdcReq send: #bytes read=611
>>> KrbKdcReq send: #bytes read=611
>>> KdcAccessibility: remove localhost:88
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Checksum failed !
[Krb5LoginModule] authentication failed
Checksum failed
Exception in thread "main" javax.security.auth.login.LoginException: Checksum failed
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at Krb.loginImpl(Krb.java:65)
at Krb.main(Krb.java:77)
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbAsRep.(KrbAsRep.java:87)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:672)
... 3 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
... 10 more
$
但是“k5start foo”在这个状态下还可以,还有“kinit foo”.
并且以下动作序列导致状态(C):
$echo -e "foo\nfoo" | kadmin.local -q "addprinc foo"
$ktutil
ktutil: addent -password -p foo -k 1 -e rc4-hmac
Password for foo@EXAMPLE.COM:
ktutil: wkt /etc/krb5.keytab
ktutil: q
之后,k5start / kinit和java验证都给出了积极的结果.
环境:
yum list krb5-appl-servers krb5-libs krb5-server krb5-workstation kstart pam_krb5
...
Installed Packages
krb5-libs.x86_64 1.9-33.el6_3.3 @updates
krb5-server.x86_64 1.9-33.el6_3.3 @updates
krb5-workstation.x86_64 1.9-33.el6_3.3 @updates
kstart.x86_64 4.1-2.el6 @epel
...
$cat /etc/redhat-release
CentOS release 6.3 (Final)
$java -version
java version "1.6.0_33"
Java(TM) SE Runtime Environment (build 1.6.0_33-b03)
Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03, mixed mode)
与Java 7相同的行为也是如此.在Ubuntu精确(12.04.1 LTS)上观察到相同的行为,MIT的kerberos 5-1.10.3从源分布编译.
java pass can not be_java – 校验和失败:Kerberos / Spring / Active Directory(2008)相关推荐
- 用Java获取文件的MD5校验和
我正在寻找使用Java获取文件的MD5校验和. 我真的很惊讶,但是我找不到任何能显示如何获取文件的MD5校验和的东西. 怎么做? #1楼 Guava现在提供了一个新的,一致的哈希API,它比JDK中提 ...
- java spring注解维护,从一次工程启动失败谈谈 spring 注解
原标题:从一次工程启动失败谈谈 spring 注解 檀宝权 Java 后端开发工程师,负责度假 App 后端和广告后端开发维护工作,熟悉 Tomcat,Spring,Mybatis,会点 Python ...
- ORA-12569: TNS: 包校验和失败解决方法一例
ORA-12569: TNS: 包校验和失败解决方法一例 参考文章: (1)ORA-12569: TNS: 包校验和失败解决方法一例 (2)https://www.cnblogs.com/1976zj ...
- Tomcat报出Caused by: java.net.UnknownHostException: auto: 域名解析暂时失败
在Linux平台部署Tomcat服务器,并且测试集群的工作环境,在启动Tomcat的时候出现这样的异常信息,使得Tomcat不能正常启动,也不能够使用: Caused by: java.net.Unk ...
- java 区分缺陷Defects/感染Infections/失败Failure
java 区分缺陷Defects/感染Infections/失败Failure 缺陷Defects 软件故障总是从代码中一个或多个缺陷的执行开始. 缺陷只是一段有缺陷.不正确的代码. 缺陷可能是程序语 ...
- java ldap操作实例_Java Spring Security示例教程中的2种设置LDAP Active Directory身份验证的方法...
java ldap操作实例 LDAP身份验证是世界上最流行的企业应用程序身份验证机制之一,而Active Directory (Microsoft为Windows提供的LDAP实现)是另一种广泛使用的 ...
- Java Spring Security示例教程中的2种设置LDAP Active Directory身份验证的方法
LDAP身份验证是全球范围内最流行的企业应用程序身份验证机制之一,而Active Directory (Microsoft针对Windows的LDAP实现)是另一种广泛使用的LDAP服务器. 在许多项 ...
- 分布式锁 动态代理 Java数据结构List,Set,Map,Spring执行流程,Spring MVC组件
这里对今日的内容进行总结: 分布式锁具备的条件: 具备的条件: 在分布式系统环境下,一个方法在同一时间只能被一个机器的一个线程执行. 高可用的获取锁与释放锁. 高性能的获取锁与释放锁. 具备可重入的特 ...
- Java中高级核心知识全面解析——什么是Spring Cloud、需要掌握哪些知识点?(下)
目录 一.必不可少的 Hystrix 1.什么是 Hystrix之熔断和降级 2.什么是Hystrix之其他 二.微服务网关--Zuul 1.Zuul 的路由功能 1)简单配置 2)统一前缀 3)路由 ...
最新文章
- Visual Studio中没有为此解决方案配置选中要生成的项目
- 一次性打开计算机任意程序的脚本(C语言)
- 尚学linux课程---8、rpm软件包安装
- java修车_JAVA小练习34——使用java描述一个车类与一个修车厂类
- cad线性标注命令_CAD常用标注快捷键和命令
- 16 个 Linux 服务器监控命令和watch
- plc 上位机编译算法_西门子PLC的开放式TCP通信
- 目标检测: Anchor-Free 时代
- 解决linux中xorg占用gpu问题
- 【Quartz】解密properties配置文件中的账号密码
- Leetcode669.Trim a Binary Search Tree修建二叉树
- matlab imhist与histeq函数
- 123hoo.com网摘中国开发手记(一)都是些简单的东西!:)
- Android中夜间模式的三种实现方式
- 忘了她,就像忘了一朵花
- 腾讯百度阿里变身天使投资背后:PE估值偏低
- 苹果机型中最具经典的三款机型
- python数据统计分析
- Java线程池及配置参数详解
- 并发编程 — AtomicStampedReference 详解
热门文章
- 解忧杂货店 --- 东野圭吾
- PaddleClas-图像分类中的8种数据增广方法(cutmix, autoaugment,..)
- 女生无法拒绝的表白拼图
- (夏季)你不得不注意的一种比蚊子还可怕的东西!
- 智能语音技术:从哪儿来?往何处去?
- 穷游第13国之韩国囧途之旅
- TikTok账号被封,如何申诉?
- mysql 1064_MYSQL #1064错误
- Grating Period and Grating Constant(光栅周期与光栅常数)
- JAVA 输入身份证号码进行验证正误,15位转18位,并解析出生日、当前年龄、地区代码、性别