3

我在 kerberizing 主机 tpno 时遇到了一些困难。我正在关注http://grolmsnet.de/kerbtut,它适用于其他人对未添加到 Windows 域的主机进行 kerbering 处理。

出于某种原因,问题似乎是客户端 NTLM 令牌。

我将介绍服务器的设置和状态,然后是测试客户端:

服务器

环境:

操作系统为 CentOS 5.9,

用 yum 安装 Kerberos、Apache 和 mod_auth_kerb:

httpd.x86_64                              2.2.3-76.el5.centos          installed
httpd-devel.i386                          2.2.3-76.el5.centos          installed
httpd-devel.x86_64                        2.2.3-76.el5.centos          installed

mod_auth_kerb.x86_64                      5.1-5.el5                    installed

krb5-devel.x86_64                         1.6.1-70.el5                 installed
krb5-libs.i386                            1.6.1-70.el5                 installed
krb5-libs.x86_64                          1.6.1-70.el5                 installed
krb5-workstation.x86_64                   1.6.1-70.el5                 installed
pam_krb5.i386                             2.2.14-22.el5                installed
pam_krb5.x86_64                           2.2.14-22.el5                installed

KDC/DC 是 Windows Server 2003 SP2

Kerberos:

我有一个域管理员创建 AD 帐户并运行 ktpass 将 SPN 映射到此帐户:

ktpass.exe /princ HTTP/t.p.no@TESTSONE2.P.LOCAL /mapuser testsone2\user 
/crypto DES-CBC-MD5 +DesOnly /Pass *** /ptype KRB5_NT_PRINCIPAL /out t.keytab

在我试图进行 kerberize 的服务器/主机上,我这样做是为了验证 kerberos 是否配置正确:

# kinit -V jhs@TESTSONE2.P.LOCAL
Password for jhs@TESTSONE2.P.LOCAL: 
Authenticated to Kerberos v5

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jhs@TESTSONE2.P.LOCAL

Valid starting     Expires            Service principal
05/13/13 15:32:13  05/14/13 01:32:17  krbtgt/TESTSONE2.P.LOCAL@TESTSONE2.P.LOCAL
  renew until 05/14/13 15:32:13


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

我检查了 KDC 是否向我发送了我的校长的票:

# kvno HTTP/t.p.no@TESTSONE2.P.LOCAL
HTTP/t.p.no@TESTSONE2.P.LOCAL: kvno = 9

# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jhs@TESTSONE2.P.LOCAL

Valid starting     Expires            Service principal
05/13/13 15:32:13  05/14/13 01:32:17  krbtgt/TESTSONE2.P.LOCAL@TESTSONE2.P.LOCAL
  renew until 05/14/13 15:32:13, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 
05/13/13 15:34:27  05/14/13 01:32:17  HTTP/t.p.no@TESTSONE2.P.LOCAL
  renew until 05/14/13 15:32:13, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with RSA-MD5 

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

kvno 与 keytab 中的匹配:

# ktutil 
ktutil: rkt t.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    9 HTTP/t.p.no@TESTSONE2.P.LOCAL

tpno 是解析为反向解析为 tpno 的 IP 地址的 A 记录

这是我的虚拟主机配置,它是一个简单的乘客服务铁路应用程序。在使用身份验证相关指令添加 Location 部分之前测试工作:

<VirtualHost *:80>
  DocumentRoot /home/p/testapp/public
  ServerName t.p.no

  RackEnv staging
  RailsEnv staging

  <Directory /home/p/testapp/public>
    Options -MultiViews
  </Directory>

  <Location />
    AuthType Kerberos
    AuthName "Logg inn"
    KrbMethodNegotiate On
    KrbMethodK5Passwd Off
    KrbAuthRealms TESTSONE2.P.LOCAL
    KrbServiceName HTTP # No difference if using full SPN here
    Krb5KeyTab /etc/httpd/keys/t.keytab
    require valid-user
  </Location>

  LogLevel debug
  CustomLog logs/t.p.no-access_log combined_forwarded
  ErrorLog logs/t.p.no-error_log

</VirtualHost>

当客户端在 Internet Explorer 中输入 tpno 时,Apache 会记录以下内容:

[debug] src/mod_auth_kerb.c(1496): [client 139.x.x.201] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1496): [client 139.x.x.201] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1151): [client 139.x.x.201] Acquiring creds for HTTP/t.p.no@TESTSONE2.P.LOCAL
[debug] src/mod_auth_kerb.c(1270): [client 139.x.x.201] Verifying client data using KRB5 GSS-API
[debug] src/mod_auth_kerb.c(1286): [client 139.x.x.201] Verification returned code 589824
[debug] src/mod_auth_kerb.c(1313): [client 139.x.x.201] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
[error] [client 139.116.152.201] gss_accept_sec_context() failed: Invalid token was supplied (No error)

客户

操作系统:Windows Server 2008 SP1

IE 已启用 IWA,并且http://tpno已添加到其 Intranet 主机列表中。

在客户端,当尝试访问 tpno 时,我在 Fiddler 中看到两个请求,首先,客户端不发送身份验证标头,服务器以状态 401 和标头 WWW-Authenticate: Negotiate 响应。

在第二个请求中,客户端发送一个标头: Authorization: Negotiate [token data] 在 fiddler 的 Auth-tab 中,显示了令牌数据:

-[NTLM Type1: Negotiation]------------------------------
Provider: NTLMSSP
Type: 1
OS Version: 6.1:7601
Flags:  0xe2088297
    Unicode supported in security buffer.
    OEM strings supported in security buffer.
    Request server's authentication realm included in Type2 reply.
    Sign (integrity)
    NTLM authentication.
    Negotiate Always Sign.
    Negotiate NTLM2 Key.
    Supports 56-bit encryption.
    Supports 128-bit encryption.
    Client will provide master key in Type 3 Session Key field.
Domain_Offset: 0; Domain_Length: 0; Domain_Length2: 0
Host_Offset: 0; Host_Length: 0; Host_Length2: 0
Host: 
Domain: 
------------------------------------

非常感谢所有帮助找出发送 NTLM 令牌的原因!

4

2 回答 2

1

如前所述,我的测试客户端是 2008 服务器 R2。一篇关于 Windows 7 客户端和 Windows Server 2008 R2的文章 ( http://support.microsoft.com/kb/977321 ) 指出,在这些产品中默认禁用 Kerberos 身份验证的 DES 加密。

我按照文章中的步骤在客户端上重新启用了 DES,KDC 是 2003,所以它应该仍然支持 DES。然后认证成功。

于 2013-05-22T10:41:27.533 回答
0

您的 krb5 软件包已过时。这些需要更新以支持更强的加密。

DES 绝对应该被禁用。我所有的 linux 系统都为 kerberos 使用 128 AES。

于 2015-08-27T16:10:51.113 回答