[英]curl: how to use Kerberos instead of NTLM authentication on Windows?
I'm trying to connect to a Livy REST service under Kerberos security.我正在尝试在 Kerberos 安全性下连接到 Livy REST 服务。 On Linux CentoS
curl
works fine with negotiate
, after receiving a Kerberos kinit
ticket the connection through在 Linux CentoS
curl
与negotiate
工作正常,在收到 Kerberos kinit
票证后,连接通过
curl --negotiate -u : http://service_link
The problem I'm facing is trying to do the same on remote Windows desktop.我面临的问题是试图在远程 Windows 桌面上做同样的事情。 I'm using MIT Kerberos for Windows, which is able to do a successful
kinit
.我正在使用 MIT Kerberos for Windows,它能够成功执行
kinit
。 However, curl
seems to be negotiating using the NTLM SSL tickets instead of Kerberos, which results in the following error:但是,
curl
似乎正在使用 NTLM SSL 票证而不是 Kerberos 进行协商,这会导致以下错误:
AuthenticationFilter: Authentication exception: org.apache.hadoop.security.authentication.client.AuthenticationException
I've tried using the official curl release for windows , having these features ( curl --version
):我试过使用windows的官方 curl 版本,具有以下功能(
curl --version
):
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2 HTTPS-proxy
and the gow 0.8.0 version of curl :和curl的gow 0.8.0 版本:
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM SPNEGO SSL SSPI libz
Both of these use NTLM SLL when negotiating.这两者在协商时都使用 NTLM SLL。
Question: Is there a way to force using Kerberos instead of NTLM?问题:有没有办法强制使用 Kerberos 而不是 NTLM? Is it possible to debug the Negotiator to see whether (and where) it is looking for Kerberos (and possibly not seeing) tickets?
是否可以调试 Negotiator 以查看它是否(以及在哪里)正在寻找 Kerberos(并且可能没有看到)票证?
Concerning the Kerberos, it seems to be storing the keytabs on its api, so I've set the KRB5CCNAME
environment variable to API:Initial default ccache
;关于 Kerberos,它似乎将密钥表存储在其 api 上,因此我将
KRB5CCNAME
环境变量设置为API:Initial default ccache
; klist
is able to see the ticket, however, maybe curl
needs additional specification? klist
能够看到票,但是,也许curl
需要额外的规范?
Also -- are there alternative methods to curl
for such connection with Kerberos security?另外 - 是否有其他方法可以
curl
与 Kerberos 安全性的这种连接?
http://service_link is a silly URL for Kerberos. http://service_link是 Kerberos 的一个愚蠢的 URL。 As that is a single label name, a client will only look for the service ticket in its default Realm.
由于这是一个单一的标签名称,客户端只会在其默认领域中查找服务票证。 It is best to use and FQDN so that the host can be parsed and the domain portion be matched to a realm.
最好使用和 FQDN,以便可以解析主机并将域部分与领域匹配。
Also, there is no mention of an SPN in your post.此外,您的帖子中没有提到 SPN。 If curl can guess the right KDC to talk to, you need the SPN HTTP/service_link registered on the account that runs auth on your web server.
如果 curl 可以猜出要与之对话的正确 KDC,则您需要在您的 Web 服务器上运行 auth 的帐户上注册 SPN HTTP/service_link。
Finally, have you used Fiddler or the like to confirm that your web server is sending back the WWW-Authenticate:negotiate header ?最后,您是否使用 Fiddler 或类似工具确认您的 Web 服务器正在发回 WWW-Authenticate:negotiate 标头? curl does have proxy settings.
curl 确实有代理设置。
You can't force Kerberos if all the settings aren't right.如果所有设置都不正确,则无法强制使用 Kerberos。 IF they are right, curl will try it first and succeed.
如果他们是对的,curl 会先尝试并成功。 Depending on what is wrong, it may try Kerb and then revert to NTLM.
根据错误的原因,它可能会尝试 Curb,然后恢复到 NTLM。
The name of the service, and its consequent SPN is critical to understanding Kerberos AUTH, and can be quite tricky.服务的名称及其相应的 SPN 对于理解 Kerberos AUTH 至关重要,并且可能非常棘手。 To understand the issue, you should understand that the Challenge that comes back from the Web server (or a Proxy) is essentially "I like Kerberos, GIVE ME A TICKET" ... The Web server offers no hint as to what Tickets it would be prepared to accept, nor does it tell the client how to obtain a suitable one.
要理解这个问题,您应该理解从 Web 服务器(或代理)返回的 Challenge 本质上是“我喜欢 Kerberos,给我一张票”...... Web 服务器没有提供关于它会提供什么票的提示准备接受,也没有告诉客户如何获得合适的。
So the Client needs to work out the name of the service (the SPN that is expected), and it then needs a Kerberos configuration that tells it how to obtain suitable tickets (if not from its local Kerberos Domain).因此,客户端需要计算出服务的名称(预期的 SPN),然后它需要一个 Kerberos 配置来告诉它如何获取合适的票证(如果不是从其本地 Kerberos 域)。
So for a Client accessing http://www.github.com/ the SPN would be HTTP/www.github.com but the client first needs to check that name to see how it resolves.因此,对于访问http://www.github.com/的客户端,SPN 将是 HTTP/www.github.com 但客户端首先需要检查该名称以查看它是如何解析的。 Its actualy a CNAME that resolves via github.com then the actual SPN would be HTTP/github.com - and then the Client needs to check its Kerberos configuration to see if the name is in a foreign Kerberos Domain (which adds extra complications).
它实际上是一个通过 github.com 解析的 CNAME,然后实际的 SPN 将是 HTTP/github.com - 然后客户端需要检查其 Kerberos 配置以查看名称是否在外部 Kerberos 域中(这增加了额外的复杂性)。 For the Local kerberos domain, the client will present the krbtgt/ @ to its local Kerberos Ticket Granting service, requesting a ticket for the SPN HTTP/github.com @ <LOCAL_DOMAIN>.
对于本地 kerberos 域,客户端将向其本地 Kerberos 票证授予服务提供 krbtgt/@,为 SPN HTTP/github.com @ <LOCAL_DOMAIN> 请求票证。
Provided that SPN is registered in the Local Kerberos Ticket Granting service, then it will issue the Ticket, and the Client will present it to the Web site.如果 SPN 已在本地 Kerberos 票证授予服务中注册,则它将发出票证,并且客户端会将其呈现给网站。 The Website will accept it , provided it has the correct SPN, and the correct issuing Domain.
网站将接受它,前提是它具有正确的 SPN 和正确的发行域。
If the Web service you connected to is actually a local fake of github.com, and accepts tickets from your Local domain then this could work.如果您连接到的 Web 服务实际上是 github.com 的本地假冒产品,并且接受来自您本地域的票证,那么这可以工作。 But for a Website outside your own local environment, the added complications of a Foreign Kerberos domain, configurtaion and Trust relationship would come into play.
但是对于您自己的本地环境之外的网站,外部 Kerberos 域、配置和信任关系的额外复杂性将发挥作用。
Even in your local environment, the Client needs to be able to derive the correct SPN from the name used to access the target resource, and the SPN needs to be registered and associated with the Webservice (so that it can decrypt the Kerberos tickets when they are presented).即使在您的本地环境中,客户端也需要能够从用于访问目标资源的名称中派生出正确的 SPN,并且该 SPN 需要注册并与 Web 服务相关联(以便它可以在 Kerberos 票证呈现)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.