当前位置: 首页 > 知识库问答 >
问题:

Redmine的GSSAPI身份验证失败

吕霖
2023-03-14
[http:trace4] [pid 29360] http_request.c(316): [client 192.168.0.10:47380]   Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKADk4AAAADw==
[rewrite:trace2] [pid 29360] mod_rewrite.c(470): [client 192.168.0.10:47380] 192.168.0.10 - - [redmine.mydomain.com/sid#558a80593c58][rid#558a806408f0/initial] init rewrite engine with requested uri /
[rewrite:trace1] [pid 29360] mod_rewrite.c(470): [client 192.168.0.10:47380] 192.168.0.10 - - [redmine.mydomain.com/sid#558a80593c58][rid#558a806408f0/initial] pass through /
[authz_core:debug] [pid 29360] mod_authz_core.c(809): [client 192.168.0.10:47380] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[authz_core:debug] [pid 29360] mod_authz_core.c(809): [client 192.168.0.10:47380] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[auth_gssapi:debug] [pid 29360] mod_auth_gssapi.c(900): [client 192.168.0.10:47380] URI: /, no main, no prev
[auth_gssapi:error] [pid 29360] [client 192.168.0.10:47380] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: [An unsupported mechanism was requested (Unknown error)]
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYDOMAIN.COM
 default_keytab_name = /etc/krb5.keytab
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 24h
 forwardable = true
 default_tgs_enctypes = aes256-cts-hmac-sha1-96
 default_tkt_enctypes = aes256-cts-hmac-sha1-96

[realms]
 MYDOMAIN.COM = {
  kdc = mydc.mydomain.com
  admin_server = mydc.mydomain.com
  default_domain = mydomain.com
  kpasswd_server = mydc.mydomain.com
 }

[domain_realm]
 .mydomain.com = MYDOMAIN.COM
 mydomain.com = MYDOMAIN.COM
# klist -ek /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 HTTPS/redmine.mydomain.com@MYDOMAIN.COM (aes256-cts-hmac-sha1-96)
# kinit -V -kt /etc/krb5.keytab -p HTTPS/redmine.mydomain.com@MYDOMAIN.COM
Using default cache: /tmp/krb5cc_0
Using principal: HTTPS/redmine.mydomain.com@MYDOMAIN.COM
Using keytab: /etc/krb5.keytab
Authenticated to Kerberos v5
#
# klist -Af
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTPS/redmine.mydomain.com@MYDOMAIN.COM

Valid starting       Expires              Service principal
02/15/2019 16:31:47  02/16/2019 02:31:47  krbtgt/MYDOMAIN.COM@MYDOMAIN.COM
        renew until 02/16/2019 16:31:47, Flags: FPRIA

我的keytab由以下命令生成:

ktpass -princ HTTPS/redmine.mydomain.com@MYDOMAIN.COM -mapuser serviceuser -pass my_password -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out redmine.keytab -mapOp set

SPN信息

C:\>setspn -L serviceuser
Registered ServicePrincipalNames for CN=serviceuser,OU=Pseudo Accounts,OU=Managed Objects,DC=mydomain,DC=com:
        HTTPS/redmine.mydomain.com

C:\>setspn -Q HTTPS/redmine.mydomain.com
Checking domain DC=mydomain,DC=com
CN=serviceuser,OU=Pseudo Accounts,OU=Managed Objects,DC=mydomain,DC=com
        HTTPS/redmine.mydomain.com

Existing SPN found!

看起来我的keytab没问题。

<VirtualHost *:80>
    ServerAdmin admin@mydomain.com
    ServerName redmine.mydomain.com
    Redirect "/" "https://redmine.mydomain.com/"
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin admin@mydomain.com
    ServerName redmine.mydomain.com
    DocumentRoot /var/www/redmine/public/


    # SSL
    # Enable SSL with Perfect Forward Secrecy
    SSLEngine on
    SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
    SSLCompression off
    SSLCertificateFile /etc/ssl/certs/mydomain.com.crt
    SSLCertificateKeyFile /etc/ssl/private/mydomain.com.key

    ## Passenger Configuration

    RailsBaseURI /
    PassengerAppRoot /var/www/redmine
    PassengerRuby /usr/local/rvm/gems/ruby-2.4.4/wrappers/ruby
    PassengerFriendlyErrorPages on
    RailsSpawnMethod smart
    RailsAppSpawnerIdleTime 3600
    PassengerMaxPreloaderIdleTime 0
    PassengerMaxRequests 5000

    PassengerUser apache
    PassengerGroup apache

    <Directory /var/www/redmine/public>
            Options +Indexes +FollowSymLinks -MultiViews
            AllowOverride All
            <IfVersion < 2.3 >
                    Order allow,deny
                    Allow from all
            </IfVersion>
            <IfVersion >= 2.3>
                    Require all granted
            </IfVersion>
    </Directory>

    # SSO start 

    <Location "/">
        RewriteEngine     On
        RewriteCond       %{IS_SUBREQ} ^false$
        RewriteCond       %{LA-U:REMOTE_USER} (.+)
        RewriteRule       . - [E=RU:%1]
        RequestHeader     add REMOTE_USER %{RU}e

        SSLRequireSSL
        AuthType GSSAPI
        AuthName "login:"
        GssapiSSLonly On
        GssapiAllowedMech krb5
        GssapiCredStore keytab:/etc/krb5.keytab
        GssapiLocalName On
        GssapiBasicAuth On

        Require valid-user
    </Location>

    # SSO end   

    #AddOutputFilter DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css

    #BrowserMatch ^Mozilla/4 gzip-only-text/html
    #BrowserMatch ^Mozilla/4.0[678] no-gzip
    #BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

    ErrorLog /var/log/httpd/redmine.error.log
    LogLevel trace8
    CustomLog /var/log/httpd/redmine.access.log combined
    ServerSignature Off

</VirtualHost>
elsif (forwarded_user = request.env["REMOTE_USER"])
    # web server authentication
    user = (User.find_by_login(forwarded_user) rescue nil)
  def find_current_user
    user = nil
    unless api_request?
      if session[:user_id]
        # existing session
        user = (User.active.find(session[:user_id]) rescue nil)
      # Start custom settings
      elsif (forwarded_user = request.env["REMOTE_USER"])
        # web server authentication
        user = (User.find_by_login(forwarded_user) rescue nil)
      # End custom settings
      elsif autologin_user = try_to_autologin
        user = autologin_user
      elsif params[:format] == 'atom' && params[:key] && request.get? && accept_rss_auth?
        # RSS key authentication does not start a session
        user = User.find_by_rss_key(params[:key])
      end
    end
network.negotiate-auth.delegation-uris = mydomain.com
network.negotiate-auth.trusted-uris = mydomain.com

共有1个答案

勾学博
2023-03-14

我通过为服务用户添加HTTP主体并用HTTP和HTTPS主体重新创建keytab来解决我的问题。

C:\>setspn -L serviceuser
Registered ServicePrincipalNames for CN=serviceuser,OU=Pseudo Accounts,OU=Managed Objects,DC=mydomain,DC=com:
        HTTP/redmine.mydomain.com
        HTTPS/redmine.mydomain.com

C:\>setspn -Q HTTP/redmine.mydomain.com
Checking domain DC=mydomain,DC=com
CN=serviceuser,OU=Pseudo Accounts,OU=Managed Objects,DC=mydomain,DC=com
        HTTP/redmine.mydomain.com
        HTTPS/redmine.mydomain.com

Existing SPN found!

然后分两步创建keytab:

ktpass -princ HTTP/redmine.mydomain.com@MYDOMAIN.COM -mapuser serviceuser -pass password -ptype KRB5_NT_PRINCIPAL -crypto All -out HTTP_redmine.keytab -mapOp set 

ktpass -princ HTTPS/redmine.mydomain.com@MYDOMAIN.COM -mapuser serviceuser -pass password -ptype KRB5_NT_PRINCIPAL -crypto All -in HTTP_redmine.keytab -out HTTPS_redmine.keytab -mapOp set

在第二步中,我从第一步中用HTTP SPN导入了key tab。

 类似资料:
  • 我有一个使用Kafka Streams API的应用程序。我在当地工作时没有问题。我想连接到远程Kafka代理进行阶段测试。远程Kafka代理设置为使用GSSAPI sasl机制并使用Kerberos。我运行用java编写的Streams应用程序时出错。在我查找错误消息后,我找到了答案,但仍然有问题。 错误消息;获取相关id为3的元数据时出错:{[APPID]-KTABLE-AGGREGATE-S

  • Tweepy API请求twitter return me Twitter错误响应:状态代码=401。 这是我的实际代码: 我曾试图用tweepy软件包删除推文,并获得了所有必需的密钥。镊子包装不起作用吗?有人能帮我解决这个问题吗。

  • http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.3.xsd“>

  • 问题内容: 尝试使用JavaMail中的NTLM连接到Exchange服务器。我可以连接到SMTP,但不能连接到IMAP。我还可以使用相同的主机/用户名/密码通过OS X Mail.app应用程序进行身份验证,帐户类型=“ IMAP”,端口143,ssl = false,authentication = NTLM,域名=“。 连接代码: 输出: 我尝试通过http://www.oracle.com

  • 我相对来说是JMeter的新手,但是我很难让HTTP Sampler登陆到一个安全的网页上。我认为它需要NTLM认证,所以我使用HTTP授权管理器来传递BlazeMeter指南中指定的凭证 我的授权管理器具有以下值: 基本网址: https:// [测试站点] 用户名: [我的用户名] 密码: [我的密码] 域:与基本网址相同 机制: BASIC_DIGEST 然而,我只是得到一个401错误(见下

  • 尝试访问私有公司 tfs。他们通过向Windows用户(域\登录)授予适当的权限来授予我访问权限。 我可以很好地访问tfs的web界面,浏览存储库和其他东西。 但当我试图逃跑 它失败了 尝试与家用PC没有公司网络的东西 - 同样的错误。 在PowerShell、Git Bash、Clone via VisualStudio中尝试过-同样的错误。 SSH关闭(给定请求超时)。 网络 企业助手试图帮助