个人中心
文章发布
退出
作者热门文章
- iOS/Objective-C 元类和类别
- objective-c - -1001 错误,当 NSURLSession 通过 httpproxy 和/etc/hosts
- java - 使用网络类获取 url 地址
- ios - 推送通知中不播放声音
27
4
我正在使用林架构中的 LDAP(所有服务器和我的服务器都是 Windows)。我正在使用 NTLM 身份验证绑定(bind)到 AD。
我有一个针对 LDAP 服务器执行操作的 JAVA 代码。
代码被包装为 tomcat servlet。
当直接运行 JAVA 代码时(仅将 LDAP 身份验证代码作为应用程序执行),绑定(bind)对本地域有效(本地域 = 我登录到 Windows,并使用该域的用户运行此过程)和外国域名。
当将 JAVA 代码作为 servlet 运行时,绑定(bind)可以工作并验证来自一个域的用户,但如果我试图验证来自其他域的用户则不起作用,它不会工作(只有当我'我将重新启动 tomcat)。
我遇到异常:
GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))]]
我会提到它是相同的代码,具有相同的配置和相同的 krb5 文件。
编辑:更多信息:
这是我的代码:
public void func(String realm, String kdc) {
try {
URL configURL = getClass().getResource("jaas_ntlm_configuration.txt");
System.setProperty("java.security.auth.login.config", configURL.toString());
System.setProperty("java.security.krb5.realm", realm);
System.setProperty("java.security.krb5.kdc",kdc);
// If the application is run on NT rather than Unix, use this name
String loginAppName = "MyConfig";
// Create login context
LoginContext lc = new LoginContext(loginAppName, new SampleCallbackHandler());
// Retrieve the information on the logged-in user
lc.login();
// Get the authenticated subject
Subject subject = lc.getSubject();
System.out.println(subject.toString());
Subject.doAs(subject, new JndiAction(new String[] { "" }));
}
catch (LoginException e) {
e.printStackTrace();
}
}
class JndiAction implements java.security.PrivilegedAction {
private String[] args;
public JndiAction(String[] origArgs) {
this.args = (String[])origArgs.clone();
}
public Object run() {
performJndiOperation(args);
return null;
}
private static void performJndiOperation(String[] args) {
// Set up environment for creating initial context
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
// Must use fully qualified hostname
env.put(Context.PROVIDER_URL, "ldap://server:389");
// Request the use of the "GSSAPI" SASL mechanism
// Authenticate by using already established Kerberos credentials
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
try {
// Create the initial context
DirContext ctx = new InitialLdapContext(env, null);
// Close the context when we're done
ctx.close();
} catch (NamingException e) {
e.printStackTrace();
}
}
}
我的 jaas_ntlm_configuration.txt 文件包含:
MyConfig { com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=true
doNotPrompt=false;
};
我的 krb5.conf 文件是:
#
# All rights reserved.
#
#pragma ident @(#)krb5.conf 1.1 00/12/08
[libdefaults]
default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc
forwardable = true
renewable = true
noaddresses = true
clockskew = 300
[realms]
SUB1.DOMAIN.COM = {
kdc = DDC.SUB1.DOMAIN.COM
default_domain=DOMAIN.COM
}
SUB2.DOMAIN.COM = {
kdc = DDC.SUB.DOMAIN.COM
default_domain=DOMAIN.COM
}
SUB3.DOMAIN.COM = {
kdc = DDC.SUB3.DOMAIN.COM
default_domain=DOMAIN.COM
}
[domain_realm]
.DOMAIN.COM = SUB1.DOMAIN.COM
.DOMAIN.COM = SUB2.DOMAIN.COM
.DOMAIN.COM = SUB3.DOMAIN.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
rlogin = {
forwardable= true
}
rsh = {
forwardable= true
}
telnet = {
autologin = true
forwardable= true
}
我添加了以下作为 java 参数:
-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf="krb5.conf" -Dsun.security.krb5.debug=true
如果我总是使用同一个子域调用 func("SUB*.DOMAIN.COM", "DDC.SUB*.DOMAIN.COM") - 它会起作用,但是如果我先使用一个子域然后再使用另一个,第二个会失败。
更多信息:
这里是 krb5.debug=true 的输出:
java -Xmx100m -cp gssapi_test.jar -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf="krb5.conf" -Dsun.security.krb5.debug=true gssapitest.myTest my_config.txt
2 users provided. Performing authentication #1
Reading configuration file my_config.txt
kdc: DDC.SUB1.DOMAIN.COM, realm: SUB1.DOMAIN.COM
>>>KinitOptions cache name is C:\Users\user1\krb5cc_user1
>> Acquire default native Credentials
>>> Obtained TGT from LSA: Credentials:
client=user1@SUB1.DOMAIN.COM
server=krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM
authTime=20130422075139Z
startTime=20130422075139Z
endTime=20130422175139Z
renewTill=20130429075139Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Subject:
Principal: user1@SUB1.DOMAIN.COM
Private Credential: Ticket (hex) =
.....
Client Principal = user1@SUB1.DOMAIN.COM
Server Principal = krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 2B 8C 97 3C 8E 83 66 F1 6D 58 6C 37 20 0E 1F 53 +..<..f.mXl7 ..S
Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket true
Initial Ticket true
Auth Time = Mon Apr 22 15:51:39 2013
Start Time = Mon Apr 22 15:51:39 2013
End Time = Tue Apr 23 01:51:39 2013
Renew Till = Mon Apr 29 15:51:39 2013
Client Addresses Null
Connecting to LDAP
Config name: krb5.conf
Found ticket for user1@SUB1.DOMAIN.COM to go to krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM expiring on Tue Apr 23 01:51:39 2013
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 16 3 1.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KdcAccessibility: reset
>>> KrbKdcReq send: kdc=DDC.SUB1.DOMAIN.COM UDP:88, timeout=30000, number of retries =3, #bytes=1554
>>> KDCCommunication: kdc=DDC.SUB1.DOMAIN.COM UDP:88, timeout=30000,Attempt =1, #bytes=1554
>>> KrbKdcReq send: #bytes read=107
>>> KrbKdcReq send: kdc=DDC.SUB1.DOMAIN.COM TCP:88, timeout=30000, number of retries =3, #bytes=1554
>>> KDCCommunication: kdc=DDC.SUB1.DOMAIN.COM TCP:88, timeout=30000,Attempt =1, #bytes=1554
>>>DEBUG: TCPClient reading 1497 bytes
>>> KrbKdcReq send: #bytes read=1497
>>> KdcAccessibility: remove DDC.SUB1.DOMAIN.COM
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Krb5Context setting mySeqNumber to: 1005735013
Krb5Context setting peerSeqNumber to: 0
Created InitSecContextToken:
.....
Krb5Context.unwrap: token=[60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 00 ff ff ff ff 94 52 14 5b f6 02 28 1c a4 3c c5 8f 03 9c a2 d6 e5 f6 f1 18 ed 6f 16 ab 07 a0 00 00 04 04 04 04 ]
Krb5Context.unwrap: data=[07 a0 00 00 ]
Krb5Context.wrap: data=[01 01 00 00 ]
Krb5Context.wrap: token=[60 33 06 09 2a 86 48 86 f7 12 01 02 02 02 01 00 00 ff ff ff ff 2d b6 92 0d d9 51 da aa ef 41 67 33 5c de b3 e6 ce 9a 46 31 a0 a8 0e 27 01 01 00 00 04 04 04 04 ]
Connected
Disconnected
#1: Done
Performing authentication #2
Reading configuration file my_config.txt
kdc: DDC.SUB2.DOMAIN.COM, realm: SUB2.DOMAIN.COM
>>>KinitOptions cache name is C:\Users\user1\krb5cc_user1
>> Acquire default native Credentials
>>> Obtained TGT from LSA: Credentials:
client=user1@SUB1.DOMAIN.COM
server=krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM
authTime=20130422075139Z
startTime=20130422075139Z
endTime=20130422175139Z
renewTill=20130429075139Z
flags: FORWARDABLE;RENEWABLE;INITIAL;PRE-AUTHENT
EType (int): 23
Subject:
Principal: user1@SUB1.DOMAIN.COM
Private Credential: Ticket (hex) =
.....
Client Principal = user1@SUB1.DOMAIN.COM
Server Principal = krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 2B 8C 97 3C 8E 83 66 F1 6D 58 6C 37 20 0E 1F 53 +..<..f.mXl7 ..S
Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket true
Initial Ticket true
Auth Time = Mon Apr 22 15:51:39 2013
Start Time = Mon Apr 22 15:51:39 2013
End Time = Tue Apr 23 01:51:39 2013
Renew Till = Mon Apr 29 15:51:39 2013
Client Addresses Null
Connecting to LDAP
Found ticket for user1@SUB1.DOMAIN.COM to go to krbtgt/SUB1.DOMAIN.COM@SUB1.DOMAIN.COM expiring on Tue Apr 23 01:51:39 2013
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 16 3 1.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=DDC.SUB1.DOMAIN.COM UDP:88, timeout=30000, number of retries =3, #bytes=1554
>>> KDCCommunication: kdc=DDC.SUB1.DOMAIN.COM UDP:88, timeout=30000,Attempt =1, #bytes=1554
>>> KrbKdcReq send: #bytes read=107
>>> KrbKdcReq send: kdc=DDC.SUB1.DOMAIN.COM TCP:88, timeout=30000, number of retries =3, #bytes=1554
>>> KDCCommunication: kdc=DDC.SUB1.DOMAIN.COM TCP:88, timeout=30000,Attempt =1, #bytes=1554
>>>DEBUG: TCPClient reading 1482 bytes
>>> KrbKdcReq send: #bytes read=1482
>>> KdcAccessibility: remove DDC.SUB1.DOMAIN.COM
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(Unknown Source)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at gssapitest.JndiAction.performJndiOperation(myTest.java:603)
at gssapitest.JndiAction.run(myTest.java:577)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at gssapitest.myTest.Do(myTest.java:59)
at gssapitest.myTest.main(myTest.java:513)
javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))]]
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
at gssapitest.JndiAction.performJndiOperation(myTest.java:603)
at gssapitest.JndiAction.run(myTest.java:577)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)
at gssapitest.myTest.Do(myTest.java:59)
at gssapitest.myTest.main(myTest.java:513)
Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))]
at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
... 18 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
... 19 more
Caused by: KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(Unknown Source)
at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
... 22 more
FAILED
我能做什么?我做错了什么吗?
谢谢。
最佳答案
谢谢!仅供引用,领域的大写(即领域应 100% 正确且为大写)对于避免“异常:krb_error 41 消息流已修改 (41)”非常重要。
下面是正确记法的例子:
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = domaincontroller.example.com
admin_server = domaincontroller.example.com
default_domain = EXAMPLE.COM
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
问候,
尼卡。
关于java - GSS 异常 : Message stream modified (41),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/15932361/
27
4
0
我有一个表,其中包含带有订单字段的项目,我用这些字段将它们画在树上。 CREATE TABLE items ( menuId INTEGER, itemId INTEGER,
我正在关注这个 YouTube他们使用的教程Modifier.preferredSize()在一个盒子上和 Modifier.preferredHeight()在 Spacer Composable
当删除包含 UserSession.insert 的 if 语句时,一切正常。但是当它被包含时,我们会收到有关无效修饰符的错误。 出了什么问题?谢谢! 服务器/helpers/b.s Meteor.s
我已经为我的 Android 项目构建了一个注释处理器,它使用 JavaPoet 构建了一个源文件。但是,每次我需要对任何 JavaPoet 对象调用 addModifiers 时,Android S
我应该在哪里设置像 CreatedDate、CreatedBy、ModifiedDate、ModifiedBy 这样的字段?我应该将当前用户上下文传递到存储库并将其设置在那里,还是更好的方法是在应用程
我可以以某种方式重构以下代码片段以摆脱 双修饰符声明 ? .block { &__element { rule: value; } &--modifier { rule:
我正在编写一个函数,它接受一个谓词 p 和一个列表。它返回 ([value],[state]),其中第一个列表包含通过 p 的元素,第二个列表包含未通过的元素。但是,当我运行 runState (my
在我的项目中,我使用了 Typescript@4.0.3它运行良好,但现在我将其版本更新为最新 Typescript@4.1.3它给了我很多错误。我无法在文档中找到任何内容,也没有任何想法如何解决此问
我正在开发一个通过表单发送数据的 Rails 应用程序。我想在表单发送之后,但在它被处理之前修改表单的一些“参数”。 我现在拥有的 {"commit"=>"Create", "authentici
我的问题是关于接口(interface)。我创建了一个接口(interface)并定义了四个方法:第一个方法是 private 方法;第二个是 default 方法;第三个是static方法;第四个是
好的,所以我当前正在尝试选择目录中的最新文件(本例中为/FSTP/LOGS),但我想忽略包含字符串“DEBUG - null”但不是字符串的任何文件“DEBUG - MA”或“INFO - MA”。这
正是标题所说的。 Modifier.heightIn(...) 和有什么区别和 Modifier.prefferedHeigh() .在我的试验中,它们似乎以相同的方式工作。有谁知道何时使用什么以及在
我在项目中使用 Android Volley Networking 库。 当我自己将带有 etag 的“if-None-Match”添加到 header 时,我没有得到 304,因为 Volley 还
我一直在阅读一些关于在从服务器发送响应时为 Last-Modified 设置 header 的文章。我了解它的用途,以及如何设置它等。 我也理解传入的 If-Modified-Since header
我一直在浏览 Ivy 文档,但我对默认 ivysettings.xml 有疑问在 ivy.jar 中找到。 我要做的就是将公共(public)存储库更改为我们拥有的本地 Maven 存储库。就是这样。
我是 Ruby 新手。这是一个使用任何语言的编程面试问题。我正在尝试用 Ruby 来做。 编写一个程序来输入给定的句子。用单词的第一个字母/#ofcharactersbetween1st&laSTLe
我收到以下代码A的警告信息,为什么? 可选的 Modifier 参数应具有默认值 Modifier 代码A @Composable fun DisplayIcon( modifier: Mod
假设我想创建一个 Column与最宽的 child 一样宽Text在里面。为此,该列可以使用 .wrapContentWidth() 修饰符或 .width(IntrinsicSize.Max) ,但
我正在尝试用 Javascript 编写实现图形(数据结构)。为此,我有一个名为 Graph 的函数将该矩阵存储在名为 this.adjMatrix 的属性中的二维数组中。它还有很多方法。 我还想创建
即使在 Google PageSpeed(97) 和 Yahoo! YSlow(92) PHP 生成的缩略图似乎并不是被动地从旧缓存中获取的:它们似乎每次都生成......又一次......新鲜出炉,
我是一名优秀的程序员,十分优秀!