2

我正在尝试运行验证来自客户端的授权令牌的代码。我在一个函数中编写了这段代码:

 host = 'site_address'
state = None
service_name = f'HTTP@{host}'
try:
    rc, state = kerberos.authGSSServerInit(service_name)
    if rc != kerberos.AUTH_GSS_COMPLETE:
        return None
    rc = kerberos.authGSSServerStep(state, token)   <<<<< !!! ERROR !!!
    if rc == kerberos.AUTH_GSS_COMPLETE:
        self.kerberos_token = kerberos.authGSSServerResponse(state)
        self.kerberos_user = kerberos.authGSSServerUserName(state)
        return rc
    elif rc == kerberos.AUTH_GSS_CONTINUE:
        return kerberos.AUTH_GSS_CONTINUE
    else:
        return None
except kerberos.GSSError as error:
    LOGGER.error('Failed to perform the token verification due to %s', error)
    return None
finally:
    if state:
        kerberos.authGSSServerClean(state)

但是代码在rc = kerberos.authGSSServerStep(state, token)(标记代码中的行)处失败,并出现以下错误:

GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('Request ticket server HTTP/<site_address>@<realm_name> kvno 4 found in keytab but not with enctype rc4-hmac', 100005))

还将此错误扔到屏幕上:

[3302] 1547638447.877515: Failed to decrypt AP-REQ ticket: -1765328340/Request ticket server HTTP/base.testing.gc@TESTING.GC kvno 4 found in keytab but not with enctype rc4-hmac

我的问题是:为什么我会收到此消息?我在 Active Directory 中配置的用户标记为已This account supports Kerberos AES 256 bit encryption启用,并且使用enctypekeytab创建的文件。/crypto AES256-SHA1

为什么我的服务器(ubuntu 机器Ubuntu 18.04上的 docker-)试图用rc4-hmacenctype 对它进行加密?我该如何解决?

编辑也许我的问题应该是:谁告诉我enctype应该在哪个阅读keytab

4

1 回答 1

0

对我来说,它是trust configuration浏览器的 - 应该将站点添加到浏览器的受信任站点(Internet 选项 -> 安全 -> 本地 Internet -> 站点 -> 添加具有确切端口http/https和 **地址*的站点)。

出于某种奇怪的原因,enctype 的指令在令牌的标头中......或者这种加密有某种回退。

于 2019-01-16T14:29:48.723 回答