[英]Issues setting up kerberos with tc server
tc server on red hat linux I have been trying to follow this example: http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html AD service account setup setspn and ktpass commands executed to create spn and keytab Red Hat Linux上的tc服务器我一直在尝试遵循以下示例: http : //tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html执行 AD服务帐户设置setspn和ktpass命令以创建spn和密钥表
If I use the mapuser option with the ktpass command and allow the userprincipalname to be changed it will work for that one spn. 如果我在ktpass命令中使用mapuser选项,并允许更改userprincipalname,则它将适用于该spn。 I cannot get it configured to be able to use multiple spns for one AD service ID. 我无法将其配置为能够对一个AD服务ID使用多个spns。 AD account is setup for delegation. AD帐户已设置为委派。
jaas.conf snipit jaas.conf snipit
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=false
useKeyTab=true
keyTab="<path>/test5a.keytab"
principal="<fqdn>"
storeKey=true
doNotPrompt=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
useTicketCache=false
useKeyTab=true
keyTab="<path>/test5a.keytab"
principal="HTTP/<fqdn>"
storeKey=true
doNotPrompt=true;
};
If I change the upn to anything but the spn I am working with it fails with either could not find user in kerberos database. 如果我将upn更改为除我之外使用的spn之外的任何内容,则其中任何一个都无法在kerberos数据库中找到用户。 What am I missing to be able to use one AD service account for multiple spns? 我不能将一个AD服务帐户用于多个spn?
SPN也链接到密钥表,因此您需要为每个SPN生成一个新的密钥表文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.