Мобильная версияЯ создаю билет TGT, используя Kinit и билет TGS, используя Kvno cifs /.
, чтобы убедиться, что я кэшировал билеты, я использую klist и получаю следующий результат: < /p>
Код: Выделить всё
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
22/06/25 12:48:10 22/06/25 22:48:10 krbtgt/[email protected]
renew until 29/06/25 12:48:06
22/06/25 12:49:02 22/06/25 22:48:10 cifs/[email protected]
renew until 29/06/25 12:48:06
< /code>
Но когда я пытаюсь использовать API Java GSS для загрузки билетов из кэша и их использования. Единственный найденный билет - TGT: < /p>
Java config name: null
Native config name: /etc/krb5.conf
Loading config file from /etc/krb5.conf
Loading krb5 profile at /etc/krb5.conf
logging = {
}
libdefaults = {
default_realm = PROXYREALM.TEST
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
}
realms = {
PROXYREALM.TEST = {
default_domain = PROXYREALM.TEST
kdc = https://kdcproxy.proxyrealm.test/KdcProxy
admin_server = kdcproxy.proxyrealm.test
http_anchors = FILE:/etc/ssl/certs/ca-certificates.crt
}
}
domain_realm = {
.PROXYREALM.TEST = PROXYREALM.TEST
PROXYREALM.TEST = PROXYREALM.TEST
.proxyrealm.test = PROXYREALM.TEST
proxyrealm.test = PROXYREALM.TEST
}
appdefaults = {
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
}
Loaded from native config
>>>KinitOptions cache name is /tmp/krb5cc_0
>>>DEBUG client principal is [email protected]
>>>DEBUG server principal is krbtgt/[email protected]
>>>DEBUG key type: 18
>>>DEBUG auth time: Sun Jun 22 12:48:10 IDT 2025
>>>DEBUG start time: Sun Jun 22 12:48:10 IDT 2025
>>>DEBUG end time: Sun Jun 22 22:48:10 IDT 2025
>>>DEBUG renew_till time: Sun Jun 29 12:48:06 IDT 2025
>>> CCacheInputStream: readFlags() FORWARDABLE; RENEWABLE; INITIAL; PRE_AUTH;
>>>DEBUG client principal is [email protected]
>>>DEBUG server principal is krb5_ccache_conf_data/pa_type/krbtgt/PROXYREALM.TEST\@PROXYREALM.TEST@X-CACHECONF:
>>>DEBUG key type: 0
>>>DEBUG auth time: Thu Jan 01 02:00:00 IST 1970
>>>DEBUG start time: null
>>>DEBUG end time: Thu Jan 01 02:00:00 IST 1970
>>>DEBUG renew_till time: null
>>> CCacheInputStream: readFlags()
>>>DEBUG client principal is [email protected]
>>>DEBUG server principal is cifs/[email protected]
>>>DEBUG key type: 18
>>>DEBUG auth time: Sun Jun 22 12:48:10 IDT 2025
>>>DEBUG start time: Sun Jun 22 12:49:02 IDT 2025
>>>DEBUG end time: Sun Jun 22 22:48:10 IDT 2025
>>>DEBUG renew_till time: Sun Jun 29 12:48:06 IDT 2025
>>> CCacheInputStream: readFlags() FORWARDABLE; RENEWABLE; PRE_AUTH;
get normal credential
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Sun Jun 22 22:48:10 IDT 2025
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
< /code>
Я попытался использовать следующий класс для аутентификации с помощью кэшированных билетов Kerberos: < /p>
public class GSSKdcProxyClient {
public static final Oid KRB5_MECH_OID;
static {
try {
KRB5_MECH_OID = new Oid("1.2.840.113554.1.2.2"); // Kerberos V5 OID
} catch (Exception e) {
throw new RuntimeException("Failed to initialize Kerberos OID", e);
}
}
public static void main(String[] args) throws GSSException {
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
System.setProperty("sun.security.krb5.debug", "true");
try {
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName("cifs/[email protected]",GSSName.NT_HOSTBASED_SERVICE);
// Acquire credentials and create context
GSSContext context = manager.createContext(serverName,KRB5_MECH_OID, null, GSSContext.DEFAULT_LIFETIME);
context.requestMutualAuth(false);
context.initSecContext(new byte[0], 0, 0);
if (context.isEstablished()) {
System.out.println("GSS context established with: " + context.getSrcName());
}
context.dispose();
} catch (Exception e) {
e.printStackTrace();
}
}
< /code>
Я также попробовал другое соглашение с именем с: < /p>
GSSName serverName = manager.createName("DC1.proxyrealm.test",KRB5_PRINCIPAL_NT);
Подробнее здесь: https://stackoverflow.com/questions/796 ... pi-in-java
