curl with --negotiate / Kerberos doesn't seem to work

为君一笑 提交于 2020-01-25 07:58:06

问题


I'm trying to use curl with Kerberos (against TM1). The answers in When using --negotiate with curl, is a keytab file required? seem very helpful, however, it still doesn't work for me.

No success with curl 7.29.0 and GSS-Negotiate

I followed the instructions from Avinash Reddy

$curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.44 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

$/usr/share/centrifydc/kerberos/bin/kinit myuser
Password for myuser@MYREALM:

$/usr/share/centrifydc/kerberos/bin/klist
Ticket cache: FILE:/tmp/krb5cc_100123
Default principal: myuser@MYREALM

Valid starting       Expires              Service principal
01/24/2020 12:11:30  01/24/2020 22:11:30  krbtgt/MYREALM@MYREALM
        renew until 01/25/2020 12:11:26

WattsInABox says he successfully used curl 7.29.0 but for me, it doesn't seem to work:

$curl -ik -u : -b ~/cookiejar.txt -c ~/cookiejar.txt https://mytm1server/api/v1/Configuration
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive
Set-Cookie: TM1SessionId=mGR4OPSynQmCBIRd_B_L7g; Path=/api/; HttpOnly; Secure
WWW-Authenticate: Negotiate, Basic realm="TM1"

I also tried getting a service ticket instead of a TGT:

$/usr/share/centrifydc/kerberos/bin/kinit -S tm1s/mytm1server
Password for myuser@MYREALM:

$/usr/share/centrifydc/kerberos/bin/klist
Ticket cache: FILE:/tmp/krb5cc_100771
Default principal: myuser@MYREALM

Valid starting       Expires              Service principal
01/24/2020 13:37:52  01/24/2020 23:37:52  tm1s/mytm1server@MYREALM
        renew until 01/25/2020 13:37:46

No success either:

$curl -ik -u : -b ~/cookiejar.txt -c ~/cookiejar.txt https://mytm1server/api/v1/Configuration
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive
Set-Cookie: TM1SessionId=mGR4OPSynQmCBIRd_B_L7g; Path=/api/; HttpOnly; Secure
WWW-Authenticate: Negotiate, Basic realm="TM1"

No success with curl 7.48.0 and GSS-API and SPNEGO

On a different machine with curl 7.48.0, I followed the instructions of Michael-O except that I'm trying to go without a keytab file (we won't have that available):

$ curl --version
curl 7.61.1 (x86_64-redhat-linux-gnu) libcurl/7.61.1 OpenSSL/1.1.1c zlib/1.2.11 brotli/1.0.6 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh/0.8.5/openssl/zlib nghttp2/1.33.0
Release-Date: 2018-09-05
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz brotli TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL Metalink

$/usr/share/centrifydc/kerberos/bin/kinit myuser
Password for myuser@MYREALM:

$/usr/share/centrifydc/kerberos/bin/klist
Ticket cache: FILE:/tmp/krb5cc_100123
Default principal: myuser@MYREALM

Valid starting       Expires              Service principal
01/24/2020 15:19:34  01/25/2020 01:19:34  krbtgt/MYREALM@MYREALM
        renew until 01/25/2020 15:19:31

$curl -ik -u : -b ~/cookiejar.txt -c ~/cookiejar.txt https://mytm1server/api/v1/Configuration
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive
OData-Version: 4.0
Set-Cookie: TM1SessionId=5Alh35utwfhkmfEm0ZVcKw; Path=/api/; HttpOnly; Secure
WWW-Authenticate: Negotiate, Basic realm="TM1"

Whether or not I manually export KRB5CCNAME=/tmp/krb5cc_100123 (shouldn't be required), it doesn't work either:

$export KRB5CCNAME=/tmp/krb5cc_100123
$curl -ik -u : -b ~/cookiejar.txt -c ~/cookiejar.txt https://mytm1server/api/v1/Configuration
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive
Set-Cookie: TM1SessionId=mGR4OPSynQmCBIRd_B_L7g; Path=/api/; HttpOnly; Secure
WWW-Authenticate: Negotiate, Basic realm="TM1"

Now of course, one may ask if the user is even allowed to log in. But using TM1's official client, integrated login works flawlessly.

Does anyone see what's wrong, or know how to get more debug information?

来源:https://stackoverflow.com/questions/59898525/curl-with-negotiate-kerberos-doesnt-seem-to-work

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!