錯誤：帶有 SPNEGO 的 Java GSS-API：在 Kerberos 數據庫中找不到服務器 (7)

Question

我正在嘗試讓本教程發揮作用： https : //docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/lab/part5.html

我在 VM 上運行 Kerberos KDC 並使用本指南進行設置： http : //techpubs.spinlocksolutions.com/dklar/kerberos.html

我已經設置了兩個princripals：jessica@REALM.COM 和host/jessica-ThinkPad-X220@REALM.COM，第二個的密鑰保存在我從VM 復制到我的測試機器的keytab 中。

我可以 ping KDC 並使用kinit獲取票證。

我編譯了所有代碼示例（ Jaas.java GssSpNegoServer.java和GssSpNegoClient.java ）而沒有對教程進行更改。

這是我的jaas-krb5.conf ：

client {
com.sun.security.auth.module.Krb5LoginModule required
principal="jessica";
};

server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
storeKey=true
keyTab=krb5.keytab
principal="host/jessica-ThinkPad-X220";
};

我正在使用java -Djava.security.auth.login.config=jaas-krb5.conf GssSpNegoServer啟動服務器

然后，在另一個窗口中，我使用java -Djava.security.auth.login.config=jaas-krb5.conf GssSpNegoClient host hostname啟動客戶端，這給了我以下錯誤：

$ java -Djava.security.auth.login.config=jaas-krb5.conf GssSpNegoClient host jessica-ThinkPad-X220
Kerberos-Password for jessica: 
Authenticated principal: [jessica@REALM.COM]
Connected to address jessica-ThinkPad-X220/192.168.178.78
Exception in thread "main" java.security.PrivilegedActionException: GSSException: No valid credentials provided (Mechanism level: No valid  credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER))
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at Jaas.loginAndAction(Jaas.java:53)
at GssSpNegoClient.main(GssSpNegoClient.java:56)
Caused by: GSSException: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER))
at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:454)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at GssSpNegoClient$GssClientAction.run(GssSpNegoClient.java:129)
... 4 more
Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:882)
at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:317)
... 7 more
Caused by: KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:259)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:270)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:302)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:120)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:693)
... 11 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.TGSRep.init(TGSRep.java:65)
at sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55)
... 17 more

我不知道我做錯了什么，有人可以幫忙嗎？

Answer 1

首先檢查它在 Kerberos 日志中尋找的服務器（對我來說位於/var/log/auth.log ）。 你會在那里看到相應的登錄信息：

krb5kdc[5157]: TGS_REQ (3 etypes {18 17 16}) x.x.x.x: LOOKING_UP_SERVER: authtime 0,  ex/admin@EXAMPLE for ex2/y.y.y.y@EXAMPLE, Server not found in Kerberos database

確保將yyyy更改為相應系統的主機名，並將主機名添加到主機中（即/etc/hosts ）