Kerberos:Windows 8.1上的kinit导致空票证缓存 [英] Kerberos: kinit on Windows 8.1 leads to empty ticket cache

问题描述

我在新设置的Windows 8.1计算机上安装了Kerberos for Windows.

I installed Kerberos for Windows on a new set-up Windows 8.1 machine.

• 域:未设置
• 工作组:工作组

我在C:\ProgramData\MIT\Kerberos5目录中编辑了krb5.ini文件，如下所示:

I edited the krb5.ini file in C:\ProgramData\MIT\Kerberos5 directory like this:

[libdefaults]
  default_realm = HSHADOOPCLUSTER.DE

[realms]
  HSHADOOPCLUSTER.DE = {
    admin_server = had-job.server.de
    kdc = had-job.server.de
  }

重新启动后，我做了一个kinit -kt daniel.keytab daniel以通过控制台针对Realm对我进行身份验证.另外，通过Kerberos Ticket Manager通过用户名和密码获取票证似乎也可以正常工作，因为该票证显示在UI中.

After a restart, I made a kinit -kt daniel.keytab daniel to authenticate me against the Realm via console. Also getting a ticket by user and password via the Kerberos Ticket Manager seems to work fine, as the ticket is shown in the UI.

我想知道的是，当我呼叫klist时，我得到一个空列表，上面写着类似cached tickets: 0的内容:

What I'm wondering about is, that when I call a klist I get an empty list back, which says something like cached tickets: 0:

这对我来说似乎不正常，因为我的Ubuntu计算机在kinit之后显示了klist的有效票证.

This seems not normal to me, as my Ubuntu computer shows valid tickets by klist after a kinit.

我做错了什么?还有其他配置吗?有时我读到有关ksetup工具的信息，但是我不知道这里哪些设置是必需的，哪些不是...

What am I doing wrong? Is there some more configuration to do? Sometimes I read about a ksetup tool, but I don't know which settings here are neccessary and which not...

================================================ ============

============================================================

设置后

[libdefaults] 
  ... 
  default_ccache_name = FILE:C:/ProgramData/Kerberos/krb5cc_%{uid}

在我的krb5.conf中的

中，通过控制台和Kerberos Ticket Manager的kinit命令会在指定路径中创建一个文件.到目前为止，一切看起来都很好.

in my krb5.conf, the kinit command via console and via Kerberos Ticket Manager creates a file in the specified path. So far everything looks good.

但是:kinit命令使用不同的文件名(长名和短名)创建票证，具体取决于我是否以"admin"(短名)(长名)运行控制台，请参见下面的屏幕快照. Kerberos票证管理器仅显示其中一个票证:

But: The kinit command creates tickets with very different file names (long vs. short), depending if I run the console as "admin" (short name) or not (long name), see the screenshot below. The Kerberos Ticket Manager only shows one of the tickets:

• 如果以管理员身份运行:
  • 显示我通过管理控制台创建的票证
  • 创建带有短文件名的票证文件
  • If run as admin:
    • Shows the ticket I created via admin console
    • Creates ticket files with short file names
    • 显示我通过普通"控制台创建的票证
    • 创建带有长文件名的票证文件

    klist命令仍然不显示缓存的票证，而与是否以管理员身份打开控制台无关.

    The klist command still doesn't show the cached tickets, independent if console was opened as admin or not.

    推荐答案

    麻省理工学院支持多种凭证缓存 Kerberos库.并非所有平台都支持全部...
    - FILE 缓存是最简单，最可移植的.一种简单的平面文件格式用于一个证书一个又一个的存储.这是 默认...
    - API 仅在Windows上实现.它与将凭据保存在内存中的服务器进程通信...
    
    默认 凭据缓存名称由...确定.
    -KRB5CCNAME环境变量...
    - [libdefaults]
    中的default_ccache_name配置文件变量 -硬编码默认值DEFCCNAME

    There are several kinds of credentials cache supported in the MIT Kerberos library. Not all are supported on every platform ...
    - FILE caches are the simplest and most portable. A simple flat file format is used to store one credential after another. This is the default...
    - API is only implemented on Windows. It communicates with a server process that holds the credentials in memory...
    
    The default credential cache name is determined by ...
    - The KRB5CCNAMEenvironment variable...
    - The default_ccache_name profile variable in [libdefaults]
    - The hardcoded default, DEFCCNAME

    但是AFAIK，在Windows上，硬编码的默认缓存为 API: ，这就是您可以使用UI进行管理的内容. kinit默认情况下也使用该协议.

    But AFAIK, on Windows the hard-coded default cache is API: and that's what you can manage with the UI. kinit also uses that protocol by default.

    即使使用标准"语法，我个人也永远无法使用klist来使用该协议，即
       klist -c API:
    或
       set KRB5CCNAME=API:
   klist

    I personally never could use klist to use that protocol, even with the "standard" syntax i.e. either
      klist -c API:
    or
      set KRB5CCNAME=API:
  klist

    另一方面，如果将KRB5CCNAME指向FILE:*****，则可以先kinit然后klist工单；但它不会显示在用户界面中，并且将无法用于网络浏览器等.

    On the other hand, if you point KRB5CCNAME to a FILE:***** then you can kinit then klist the ticket; but it will not show in the UI and will not be available to web browsers and the like.

    这篇关于Kerberos:Windows 8.1上的kinit导致空票证缓存的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！