spring-security-kerberos can't read keytab?

五迷三道 提交于 2020-01-14 20:42:11

问题


I'm trying to follow this tutorial for spring-security-kerberos I have a keytab with one principal in it:

ktutil:  rkt http-web.keytab
ktutil:  l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3 HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM

This keytab was generated on a the win 2k8 domain controller with this command:

ktpass /out http-web.keytab /mapuser aulfeldt-hta-nightly@WAD.ENG.HYTRUST.COM /princ HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM /pass *

which was coppied over the the test web server used in spnego.xml:

<bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
  <property name="servicePrincipal" value="HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM" />
  <property name="keyTabLocation" value="/WEB-INF/http-web.keytab" />
  <property name="debug" value="true" />
</bean>

but fails to find the principal:

Key for the principal HTTP/aulfeldt.hta.nightly@WAD.ENG.HYTRUST.COM not available in 
jndi:/localhost/spring-security-kerberos-sample-1.0.0.CI-SNAPSHOT/WEB-INF/http-web.keytab
            [Krb5LoginModule] authentication failed 
Unable to obtain password from user

I have tried joining the web server (Centos 5.5, tomcat6) to the AD WAD.ENG.HYTRUST.COM and can login using AD credentials and then using a principal from /etc/krb5.keytab just to see if it can be read... same response. I also tried lots of variants on uppercase and lowercaseing the names.

ps checked it out from git this morning.


回答1:


There're several mistakes that lead to "Unable to obtain password from user":

  1. incorrectly specified localtion of keytab file (just like @jasop pointed out); it should be something like classpath:http-web.keytab or file:c:/http-web.keytabl
  2. incorrectly specified principal name (i.e., principal name that doesn't match the actual one, for which keytab file was generated)
  3. white spaces in a keytab file path (note sure if this has ever been fixed),- saw complaints in comments on SPRING SECURITY KERBEROS/SPNEGO EXTENSION SpringSource blog entry, and received evidence on my dev environment - Windows 7 / Java 6,- the absolute path must be considered at all times (even if keytab referenced by classpath with no spaces)



回答2:


I had the exact same issue.

The problem is your "keyTabLocation" setting. You cannot set it to /WEB-INF/http-web.keytab

You need to set it to something on the file path or classpath.

For instance, I put my file on the classpath and made this setting:

    <property name="keyTabLocation" value="classpath:http-web.keytab" />


来源:https://stackoverflow.com/questions/6144097/spring-security-kerberos-cant-read-keytab

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!