在Kerberos数据库中找不到Kerberos客户端 [英] Kerberos Client not found in kerberos database
问题描述
我一直在W12服务器上运行以下命令:-
I've been running the following commands on W12 Server :-
setspn -A HTTP/krbspn
setspn -A HTTP/ krbspn
ktpass/princ HTTP/@/crypto ALL/ptype krb5_nt_principal/mapuser krbspn c:\ ticket \ krbspn.keytab -kvno 0 /pass Pa $$ w0rd
ktpass /princ HTTP/@ /crypto ALL /ptype krb5_nt_principal /mapuser krbspn c:\ticket\krbspn.keytab -kvno 0 /pass Pa$$w0rd
和kinit krbspn给出正确的结果, 但是kinit HTTP/返回:-
and kinit krbspn gives the correct result, however kinit HTTP/ returns :-
KrbException:在Kerberos数据库中找不到客户端(6) 在sun.security.krb5.KrbAsRep.(KrbAsRep.java:76) 在sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319) 在sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364) 在sun.security.krb5.internal.tools.Kinit.(Kinit.java:221) 在sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)上,由于:KrbException:标识符与预期值不匹配(906) 在sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) 在sun.security.krb5.internal.ASRep.init(ASRep.java:65) 在sun.security.krb5.internal.ASRep.(ASRep.java:60) 在sun.security.krb5.KrbAsRep.(KrbAsRep.java:60) ...还有4个
KrbException: Client not found in Kerberos database (6) at sun.security.krb5.KrbAsRep.(KrbAsRep.java:76) at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319) at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364) at sun.security.krb5.internal.tools.Kinit.(Kinit.java:221) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:143) at sun.security.krb5.internal.ASRep.init(ASRep.java:65) at sun.security.krb5.internal.ASRep.(ASRep.java:60) at sun.security.krb5.KrbAsRep.(KrbAsRep.java:60) ... 4 more
我已经准备好使用正向和反向DNS进行检查,并且它们工作正常.
I have all ready checked with forward and reverse DNS and they are working fine.
有趣的事实:-
我在同一台计算机上使用了具有相同SPN名称的这些确切命令,并且几个月来一切正常.但是两天前只是为了演示,我做了:-
I had used these exact commands with the same SPN name on this same machine and everything was working fine for months. But 2 days back just to demo I did :-
setspn -D HTTP/krbspn
setspn -D HTTP/ krbspn
,然后再次执行上述命令,现在它坏了:-(
and then did the above commands again, and now it's broken :-(
感谢您的帮助.
谢谢, 尼基尔
推荐答案
- setspn-HTTP/krbspn 在/之后和 krbspn 之前有空白.那里一定不能有任何差距.
- 在 ktpass/princ HTTP/@/crypto ALL 中,必须在 HTTP/之后和 @ 之前指定某种主机名,最好是完全合格的DNS名称.
- kinit HTTP/本身总是会失败,因为SPN参数不完整,您必须在 HTTP/之后使用某种主机名,否则将无法对KDC进行查询什么都找不到.
- setspn -A HTTP/ krbspn has a gap of whitespace after / and before krbspn. There must not be any gap there.
- In ktpass /princ HTTP/@ /crypto ALL, there must be some kind of hostname specified after HTTP/ and before @, preferably a fully-qualified DNS name.
- kinit HTTP/ by itself will always fail, because the SPN argument is incomplete, you must have some kind of hostname following HTTP/ or else lookups into the KDC won't find anything.
For an example of how to run the ktpass command, refer to this link: Kerberos Keytabs – Explained. The example ktpass command is down towards bottom of the article. If you follow this, the SPN and Keytab will be correctly built and if you followed everything else correctly Kerberos authentication will be successful.
这篇关于在Kerberos数据库中找不到Kerberos客户端的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
