我正在尝试创build一个keytab文件。 我看到一个警告
WARNING: pType and account type do not match. This might cause problems. 我使用的命令是
ktpass -princ HTTP/[email protected] -mapuser [email protected] -crypto rc4-hmac-nt -pass **** -ptype KRB5_NT_SRV_HST -out "C:\Documents and Settings\Administrator\bloodhound.kytab"
我想用这个在Apache上的SSO。 我正在windows server 2003 r2 sp2上创build这个
产量
Targeting domain controller: fezziwig.uk.domain.com Using legacy password setting method Successfully mapped HTTP/bloodhound.domain.com to ldaplookup. WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to C:\Documents and Settings\Administrator.UK-GGS-DOMAIN\bloodhound.keytab: Keytab version: 0x502 keysize 82 HTTP/[email protected] ptype 3 (KRB5_NT_SRV_HST) vno 14 etype 0x17 (RC4-HMAC) keylength 16 (0xde184005d851613980cffb9580bdd193)
我遵循了许多与http://www.zimbra.com/docs/os/7.2.3/administration_guide/wwhelp/wwhimpl/common/html/wwhelp.htm#href=7.2.3_Open_Source_admin.Create_the_Kerberos_Keytab_File.html&single =真
但是没有一个不行。 当我与kvnotesting我得到以下
[root@portal-test conf]# klist -ke bloodhound1.keytab Keytab name: FILE:bloodhound1.keytab KVNO Principal ---- -------------------------------------------------------------------------- 27 HTTP/[email protected] (ArcFour with HMAC/md5) [root@portal-test conf]# kvno HTTP/[email protected] kvno: Server not found in Kerberos database while getting credentials for HTTP/[email protected]
更新
networking服务器我想访问使用urlhttp://cobra.woking/
下面的命令我在Windows Server 2008 r2标准
ktpass -princ HTTP/[email protected] -mapuser [email protected] -crypto rc4-hmac-nt -pass password -ptype KRB5_NT_SRV_HST -out "C:\Temp\cobra.kytab" -ptype KRB5_NT_PRINCIPAL Targeting domain controller: echo.spectrumasa.com Successfully mapped HTTP/cobra.woking to ldaplookup. Password succesfully set! Key created. Output keytab to C:\Temp\cobra.kytab: Keytab version: 0x502 keysize 68 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 33 etype 0x17 (RC4-HMAC ) keylength 16 (0xde184005d851613980cffb9580bdd193)
将文件复制到networking服务器。 更新的web服务器configuration为:
<Directory /opt/html/trac> AuthType Kerberos AuthName KerberosLogin KrbServiceName HTTP/cobra.woking KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms SPECTRUMASA.COM Krb5KeyTab /tmp/cobra.kytab AuthLDAPURL ldap://ldapauth.spectrumasa.com/ou=TechSupport,ou=Woking,ou=Sites,dc=spectrumasa,dc=com?userPrincipalName AuthLDAPBindDN cn=ldaplookup,cn=Users,dc=spectrumasa,dc=com AuthLDAPBindPassword password #require valid-user Require ldap-group cn=support,cn=Users,dc=spectrumasa,dc=com ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/intranet/info/unauthorized\"></html>" </Directory>
经过testing的keytab
klist -ke cobra.kytab Keytab name: FILE:cobra.kytab KVNO Principal ---- -------------------------------------------------------------------------- 33 HTTP/[email protected] (arcfour-hmac) kvno HTTP/[email protected] kvno: Ticket expired while getting credentials for HTTP/[email protected]
当访问我得到的url,但在Firefox中,我得到密码提示然后它的工作。
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ), referer: http://cobra.woking/trac/
我该如何解决?
我已经有一个intranet keytab文件为这个服务器工作
[root@cobra conf]# klist -ke intranet.keytab Keytab name: FILE:intranet.keytab KVNO Principal ---- -------------------------------------------------------------------------- 8 HTTP/[email protected] (arcfour-hmac) [root@cobra conf]# kvno HTTP/[email protected] kvno: Ticket expired while getting credentials for HTTP/[email protected]
第二次更新
我已经使用以下重新创buildkeytab
ktpass -princ HTTP/[email protected] -mapuser [email protected] -crypto rc4-hmac-nt -pass password -out "C:\Temp\cobra1.keytab" -ptype KRB5_NT_PRINCIPAL
在我的DNS我有
cobra A 172.16.0.216
在阿帕奇我有
KrbServiceName HTTP/cobra Krb5KeyTab /etc/httpd/conf/cobra1.keytab
当我尝试访问http::/cobra/trac我会被要求我的密码3次。 日志显示
在urlinput。 第一次密码提示显示SPECTRUM/user
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, )
第二次密码提示显示COBRA/user和日志显示
gss_accept_sec_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error)
第三密码提示我必须input用户名和密码,它的工作原理。
我已经将http://cobra和http://cobra.spectrumasa.com到受信任的站点。
您在输出中得到的错误是因为您没有将SPN映射到委托人。 您应该使用-ptype KRB5_NT_PRINCIPAL的ptype开关以避免错误。
KRB5_NT_PRINCIPAL是Microsoft提供的一般主体types(推荐)。