通过IP地址访问受Kerberos保护的站点时出现问题.
例如:
例如:
http:/10.10.1.x:3001 /失败.
http:/ my-host:3001 / sso成功完成.
Apache错误日志说:
src/mod_auth_kerb.c(1261): [client 10.10.1.x] Acquiring creds for
HTTP@10.10.1.x [client 10.10.1.x] gss_acquire_cred() Failed:
Unspecified GSS failure. Minor code may provide more information (Key
table entry not found)src/mod_auth_kerb.c(1261): [client 10.10.1.x Acquiring creds for
HTTP@my-host [debug] src/mod_auth_kerb.c(1407): [client 10.10.1.x]
Verifying client data using KRB5 GSS-API [debug]
src/mod_auth_kerb.c(1423): [client 10.10.1.x] Verification returned
code 0
正如您所见,Kerberos尝试查找HTTP@10.10.1.x或HTTP @ my-host主体.两个主体都在ActiveDirectory中创建了虚拟帐户.在keytab文件中还包括它们:
KVNO Timestamp Principal ---- ----------------- ----------------------------------------------------- 5 01/01/70 03:00:00 HTTP/10.10.1.x@MY_DOMAIN.LAN (ArcFour with HMAC/md5) 11 09/04/12 12:03:01 HTTP/my-host@MY_DOMAIN.LAN (ArcFour with HMAC/md5)
Kinit适用于他们两个.
服务器上的Kerberos配置:
Krb5Keytab /etc/krb5.keytab AuthType Kerberos KrbMethodNegotiate On AuthName "Kerberos Login" KrbAuthRealms MY_DOMAIN.LAN KrbVerifyKDC Off KrbMethodK5Passwd On Require valid-user
有人可以猜到问题出在哪里了吗?是否可以在Kerberos SSO中使用IP地址?
Kerberos不适用于IP地址,它仅依赖于域名和正确的DNS条目.