问题
I'm trying to follow this tutorial for spring-security-kerberos I have a keytab with one principal in it:
ktutil: rkt http-web.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 3 HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM
This keytab was generated on a the win 2k8 domain controller with this command:
ktpass /out http-web.keytab /mapuser aulfeldt-hta-nightly@WAD.ENG.HYTRUST.COM /princ HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM /pass *
which was coppied over the the test web server used in spnego.xml:
<bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
<property name="servicePrincipal" value="HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM" />
<property name="keyTabLocation" value="/WEB-INF/http-web.keytab" />
<property name="debug" value="true" />
</bean>
but fails to find the principal:
Key for the principal HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM not available in
jndi:/localhost/spring-security-kerberos-sample-1.0.0.CI-SNAPSHOT/WEB-INF/http-web.keytab
[Krb5LoginModule] authentication failed
Unable to obtain password from user
I have tried joining the web server (Centos 5.5, tomcat6) to the AD WAD.ENG.HYTRUST.COM and can login using AD credentials and then using a principal from /etc/krb5.keytab just to see if it can be read... same response. I also tried lots of variants on uppercase and lowercaseing the names.
ps checked it out from git this morning.
回答1:
There're several mistakes that lead to "Unable to obtain password from user":
- incorrectly specified localtion of keytab file (just like @jasop
pointed out); it should be something like
classpath:http-web.keytab
orfile:c:/http-web.keytabl
- incorrectly specified principal name (i.e., principal name that doesn't match the actual one, for which keytab file was generated)
- white spaces in a keytab file path (note sure if this has ever been fixed),- saw complaints in comments on SPRING SECURITY KERBEROS/SPNEGO EXTENSION SpringSource blog entry, and received evidence on my dev environment - Windows 7 / Java 6,- the absolute path must be considered at all times (even if keytab referenced by classpath with no spaces)
回答2:
I had the exact same issue.
The problem is your "keyTabLocation" setting. You cannot set it to /WEB-INF/http-web.keytab
You need to set it to something on the file path or classpath.
For instance, I put my file on the classpath and made this setting:
<property name="keyTabLocation" value="classpath:http-web.keytab" />
来源:https://stackoverflow.com/questions/6144097/spring-security-kerberos-cant-read-keytab