问题似乎在关键表中.有一些动作序列导致某些特定的keytab文件状态：

(A)keytab适用于Java但不适用于k5start / kinit;

(B)keytab不适用于Java,但适用于k5start / kinit;

(C)keytab适用于它们.

简短的Java代码,允许检查Java是否可以使用keytab文件进行身份验证：

import java.io.File;

import java.io.FileInputStream;

import java.io.InputStream;

import java.util.HashMap;

import java.util.Map;

import java.util.Properties;

import javax.security.auth.Subject;

import com.sun.security.auth.module.Krb5LoginModule;

/**

* This is simple Java program that tests ability to authenticate

* with Kerberos using the JDK implementation.

*

* The program uses no libraries but JDK itself.

*/

public class Krb {

private void loginImpl(final String propertiesFileName) throws Exception {

System.out.println("NB: system property to specify the krb5 config: [java.security.krb5.conf]");

//System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");

System.out.println(System.getProperty("java.version"));

System.setProperty("sun.security.krb5.debug", "true");

final Subject subject = new Subject();

final Krb5LoginModule krb5LoginModule = new Krb5LoginModule();

final Map optionMap = new HashMap();

if (propertiesFileName == null) {

//optionMap.put("ticketCache", "/tmp/krb5cc_1000");

optionMap.put("keyTab", "/etc/krb5.keytab");

optionMap.put("principal", "foo"); // default realm

optionMap.put("doNotPrompt", "true");

optionMap.put("refreshKrb5Config", "true");

optionMap.put("useTicketCache", "true");

optionMap.put("renewTGT", "true");

optionMap.put("useKeyTab", "true");

optionMap.put("storeKey", "true");

optionMap.put("isInitiator", "true");

} else {

File f = new File(propertiesFileName);

System.out.println("======= loading property file ["+f.getAbsolutePath()+"]");

Properties p = new Properties();

InputStream is = new FileInputStream(f);

try {

p.load(is);

} finally {

is.close();

}

optionMap.putAll((Map)p);

}

optionMap.put("debug", "true"); // switch on debug of the Java implementation

krb5LoginModule.initialize(subject, null, new HashMap(), optionMap);

boolean loginOk = krb5LoginModule.login();

System.out.println("======= login: " + loginOk);

boolean commitOk = krb5LoginModule.commit();

System.out.println("======= commit: " + commitOk);

System.out.println("======= Subject: " + subject);

}

public static void main(String[] args) throws Exception {

System.out.println("A property file with the login context can be specified as the 1st and the only paramater.");

final Krb krb = new Krb();

krb.loginImpl(args.length == 0 ? null : args[0]);

}

}

,以及要使用的属性文件：

#ticketCache=/tmp/krb5cc_1000

keyTab=/etc/krb5.keytab

principal=foo

doNotPrompt=true

refreshKrb5Config=true

useTicketCache=true

renewTGT=true

useKeyTab=true

storeKey=true

isInitiator=true

(下面我们假设krb / kdc已正确安装和配置,数据库是用kdb5_util创建的.每个命令序列的起始状态是：删除keytab文件,删除令牌缓存,从数据库中删除用户“foo”. )

以下操作序列将导致keytab状态(A)：

$echo -e "foo\nfoo" | kadmin.local -q "addprinc foo"

$echo -e "foo\nfoo" | kadmin.local -q "ktadd foo"

$java -cp . Krb ./krb5.properties

# Now java auth okay, but the following command fails:

$k5start foo

Kerberos initialization for foo@EXAMPLE.COM

Password for foo@EXAMPLE.COM:

k5start: error getting credentials: Decrypt integrity check failed

$

以下操作序列将导致keytab状态(B)：

$echo -e "foo\nfoo" | kadmin.local -q "addprinc foo"

$echo -e "foo\nfoo" | kadmin.local -q "ktadd foo"

$echo -e "foo\nfoo" | kadmin.local -q "cpw foo"

$java -cp . Krb ./krb5.properties

A property file with the login context can be specified as the 1st and the only paramater.

NB: system property to specify the krb5 config: [java.security.krb5.conf]

1.6.0_33

======= loading property file [/tmp/krb-test/yhadoop-common/./krb5.properties]

Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /etc/krb5.keytab refreshKrb5Config is true principal is foo tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Refreshing Kerberos configuration

Config name: /etc/krb5.conf

>>> KdcAccessibility: reset

>>> KdcAccessibility: reset

Acquire TGT from Cache

>>>KinitOptions cache name is /tmp/krb5cc_0

Principal is foo@EXAMPLE.COM

null credentials from Ticket Cache

>>> KeyTabInputStream, readName(): EXAMPLE.COM

>>> KeyTabInputStream, readName(): foo

>>> KeyTab: load() entry length: 49; type: 23

Added key: 23version: 3

Ordering keys wrt default_tkt_enctypes list

default etypes for default_tkt_enctypes: 23.

0: EncryptionKey: keyType=23 kvno=3 keyValue (hex dump)=

0000: 5F 7F 9B 42 BB 02 51 81 32 05 1D 7B C0 9F 19 C0 _..B..Q.2.......

principal's key obtained from the keytab

Acquire TGT using AS Exchange

default etypes for default_tkt_enctypes: 23.

>>> KrbAsReq calling createMessage

>>> KrbAsReq in createMessage

>>> KrbKdcReq send: kdc=localhost UDP:88, timeout=30000, number of retries =3, #bytes=128

>>> KDCCommunication: kdc=localhost UDP:88, timeout=30000,Attempt =1, #bytes=128

>>> KrbKdcReq send: #bytes read=611

>>> KrbKdcReq send: #bytes read=611

>>> KdcAccessibility: remove localhost:88

>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

Checksum failed !

[Krb5LoginModule] authentication failed

Checksum failed

Exception in thread "main" javax.security.auth.login.LoginException: Checksum failed

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)

at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)

at Krb.loginImpl(Krb.java:65)

at Krb.main(Krb.java:77)

Caused by: KrbException: Checksum failed

at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)

at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)

at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)

at sun.security.krb5.KrbAsRep.(KrbAsRep.java:87)

at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)

at sun.security.krb5.Credentials.sendASRequest(Credentials.java:401)

at sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:672)

... 3 more

Caused by: java.security.GeneralSecurityException: Checksum failed

at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)

at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)

at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)

... 10 more

$

但是“k5start foo”在这个状态下还可以,还有“kinit foo”.

并且以下动作序列导致状态(C)：

$echo -e "foo\nfoo" | kadmin.local -q "addprinc foo"

$ktutil

ktutil: addent -password -p foo -k 1 -e rc4-hmac

Password for foo@EXAMPLE.COM:

ktutil: wkt /etc/krb5.keytab

ktutil: q

之后,k5start / kinit和java验证都给出了积极的结果.

环境：

yum list krb5-appl-servers krb5-libs krb5-server krb5-workstation kstart pam_krb5

...

Installed Packages

krb5-libs.x86_64 1.9-33.el6_3.3 @updates

krb5-server.x86_64 1.9-33.el6_3.3 @updates

krb5-workstation.x86_64 1.9-33.el6_3.3 @updates

kstart.x86_64 4.1-2.el6 @epel

...

$cat /etc/redhat-release

CentOS release 6.3 (Final)

$java -version

java version "1.6.0_33"

Java(TM) SE Runtime Environment (build 1.6.0_33-b03)

Java HotSpot(TM) 64-Bit Server VM (build 20.8-b03, mixed mode)

与Java 7相同的行为也是如此.在Ubuntu精确(12.04.1 LTS)上观察到相同的行为,MIT的kerberos 5-1.10.3从源分布编译.