[英]Gerrit 2.15.12 - Kerberos + GSSAPI + Active Directory - possible bug in sending SPN
Running on RHEL 7.5 with Java 8. Kerberos 5 release 1.15.1. 使用Java 8在RHEL 7.5上运行.Kerberos 5发行版1.15.1。
We are seeing a strange behaviour with this set-up that has been seen in all versions since 2.11.10. 我们看到这种设置有一种奇怪的行为,自2.11.10以来在所有版本中都可以看到。
Note, I can't post direct logs or config as it my company blocks this. 注意,我不能发布直接日志或配置,因为我的公司阻止它。
Steps to reproduce 重现步骤
1) Configure gerrit to use kerberos 1)配置gerrit以使用kerberos
gerrit.config gerrit.config
[container]
javaHome = <path to JRE>
javaOptions = -Djava.security.auth.login.config=<path to jaas.conf>
[auth]
type = LDAP
[ldap]
authentication = GSSAPI
server = ldap://<AD Realm>
<.. other AD related stuff..>
jaas.conf 的Jaas.conf
KerberosLogin {
com.sun.security.auth.module.Krb5LoginModule
required
useTicketCache=true
doNotPrompt=true
renewTGT=true;
};
which is direct from the documentation. 这是直接来自文档。
2) kinit the keytab to create a ticket in the cache. 2)kinit keytab在缓存中创建票证。 3) Try to login.
3)尝试登录。 It fails with "Server not found in Kerberos database (7)".
它失败了“在Kerberos数据库中找不到服务器(7)”。
It will also fail if you change the jaas.conf to try and use the keytab directly. 如果您更改jaas.conf以尝试直接使用keytab,它也将失败。
You can access LDAP directly using the username/password but due to Company restrictions we can't have an unencrypted password at rest on a device so this is not a viable long, term solution. 您可以使用用户名/密码直接访问LDAP,但由于公司限制,我们无法在设备上保留未加密的密码,因此这不是一个可行的长期解决方案。
We have taken packet captures of the traffic to the AD Realm and we see the same behaviour whether we use the keytab or the cache. 我们已经将流量的数据包捕获到AD Realm,无论我们使用密钥表还是缓存,我们都会看到相同的行为。
1) For the kinit we see one request to AD with the SPN field set to the SPN from the keytab. 1)对于kinit,我们看到一个AD请求,其中SPN字段从keytab设置为SPN。 This, of course, works fine.
当然,这很好用。 2) For any request from Gerrit we see TWO requests to AD, the first has the correct SPN from the cache/keytab the second tries to send an SPN of "ldap/" no matter what value of SPN is set.
2)对于来自Gerrit的任何请求,我们看到对AD的两个请求,第一个具有来自缓存/密钥表的正确SPN,第二个尝试发送“ldap /”的SPN,无论SPN的值是什么。 This second request is what is causing the error as that SPN is not recognised b AD.. Note, we have tried keytabs with various SPN's (HTTP/device, host/device, HTTP/device@ etc etc).
第二个请求是导致错误的原因,因为在AD AD中无法识别SPN。注意,我们尝试过使用各种SPN(HTTP /设备,主机/设备,HTTP /设备@等等)的密钥。 The same thing happens every time.
每次都会发生同样的事情。
This may well be something very simple is wrong in our config but we have been banging our heads on this for weeks now. 这可能是我们的配置中非常简单的错误,但我们已经持续数星期了。
The second request most likely shows up because you specified an LDAP server ldap://<AD Realm>
in Gerrit's configuration. 第二个请求很可能出现,因为您在Gerrit的配置中指定了LDAP服务器
ldap://<AD Realm>
。 HTTP GSSAPI authentication may very well have succeeded at this point, but now the application needs to authenticate itself against the LDAP server before it can retrieve information about the user. 此时,HTTP GSSAPI身份验证可能已成功完成,但现在应用程序需要先针对LDAP服务器对自身进行身份验证,然后才能检索有关该用户的信息。 That happens independently from the HTTP authentication itself.
这与HTTP身份验证本身无关。
It's normal that the SPN is not recognized because Active Directory generally doesn't use <AD Realm>
to pick a domain controller – instead the individual server names have to be specified, eg ldap://dc01.ad.example.com
. 由于Active Directory通常不使用
<AD Realm>
来选择域控制器 - 而是必须指定单个服务器名称,例如ldap://dc01.ad.example.com
,因此无法识别SPN是正常的。 (Real AD clients choose a server automatically via DNS SRV records, but plain LDAP clients often don't support that.) (真正的AD客户端通过DNS SRV记录自动选择服务器,但普通的LDAP客户端通常不支持该服务器。)
Note also that a keytab is essentially an unencrypted password at rest. 还需要注意的是一个密钥表基本上是在休息一个未加密的口令。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.