如何从kerberos票证中检索组成员资格? [英] How to retrieve group membership from a kerberos ticket?
问题描述
我正在尝试从Windows2008r2上生成的Kerberos票证中提取组成员资格信息。
I am trying to extract group membership information from a Kerberos ticket generated on windows2008r2.
在URL中,我找到了以下语句:
Kerberos is还研究了在Kerberos授权数据中包含组成员身份信息的机制。虽然将组名包含在ACL中是有利的,但GSS-API目前没有支持这一点的机制。
In an URL, I found the following statement: Kerberos is also looking into mechanisms to include group membership information in Kerberos authorization data. Although it would be favourable to include group names into ACLs, GSS-API currently does not have a mechanism to support this.
似乎Microsoft已将Kerberos扩展为包含基于此URL的组成员身份:
http://msdn.microsoft.com/en-us/library/ms817918.aspx :
Kerberos身份验证组成员身份扩展扩展Kerberos身份验证网络服务(版本5)规范,用于支持Microsoft Windows操作系统的交互式登录身份验证和组成员身份信息。扩展包括权限访问证书(PAC)结构,位于Kerberos v5票证的授权数据字段中。
It seems Microsoft has extended Kerberos to include group membership based on this URL: http://msdn.microsoft.com/en-us/library/ms817918.aspx: The Kerberos Authentication Group Membership Extensions extend the Kerberos Authentication Network Service (version 5) specification to support interactive logon authentication and group membership information for the Microsoft Windows operating system. Extensions include the Privilege Access Certificate (PAC) structure, located in the authorization data field of the Kerberos v5 ticket.
该URL引用了故障单中的一个字段(授权数据),我无法确定如何使用此API访问:
http://docs.oracle.com/javase/6/docs/api/org /ietf/jgss/GSSContext.html
That URL references a field (Authorization Data) in the ticket that I cannot determine how to access using this API: http://docs.oracle.com/javase/6/docs/api/org/ietf/jgss/GSSContext.html
有谁知道如何访问该字段?或者可能是如何从Windows2008r2上生成的Kerberos票证中提取组信息的指南。
Does anyone know how to get access to that field? Or perhaps guidance on how to extract the group information from a Kerberos Ticket Generated on Windows2008r2.
我用Java编写,但也愿意用C语言编写。尽管使用Windows作为主题,但从故障单中提取组信息的逻辑正在UNIX上运行。 kerberos服务器。
I am writing in Java, but would also be willing to write in C. The logic to extract the group information from the ticket is running on UNIX despite using windows as the kerberos server.
感谢您给我的任何帮助!
Thank you for any help you can give me!
推荐答案
Java读取PAC字段时没有本机支持。 JaasLounge 项目声称拥有一个有效的PAC解码器。如果你想使用C,Heimdal有 PAC支持。我不知道这在多大程度上有效。
祝你好运!
There is no native support in Java reading the PAC fields. The JaasLounge project claims to have a working PAC decoder. If you want to use C, Heimdal has PAC support. I do not know to what extent that works. Good luck!
另一种方式是:如果你有空闲时间,抓住微软的文档并自己从Kerberos票中读取字节并创建一个开放的源项目:-D
Another way would be: if you have some spare time, grab Microsoft's documentation and read the bytes yourself from the Kerberos ticket and create a open source project from it :-D
这篇关于如何从kerberos票证中检索组成员资格?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
