使用 mod_auth_kerb 针对 ActiveDirectory 和多个领域进行 Kerberos 身份验证
我们的环境如下所示:
- 我们有一个相互信任的 ActiveDirectory 服务器森林。
- 我们有一个带有 mod_auth_kerb 的 Linux Apache,可以针对“主”AD 服务器进行身份验证。
对于某些客户和客户的组合域时,我们收到以下错误消息:
krb5_get_init_creds_password() failed: KRB5 error code 68
谷歌搜索显示此错误:
is being returned by Active Directory because your users are
attempting to obtain a Kerberos TGT for a realm that
is not hosted on the server to which they are authenticating.
有办法解决此问题吗?
Our environment looks like this:
- we've got a forest of ActiveDirectory servers that trust each other.
- we've got a Linux Apache with mod_auth_kerb that authenticates against the "main" AD server.
For some combinations of clients & domains, we get the following error message:
krb5_get_init_creds_password() failed: KRB5 error code 68
Googling says this error:
is being returned by Active Directory because your users are
attempting to obtain a Kerberos TGT for a realm that
is not hosted on the server to which they are authenticating.
Is there a way to work around this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您错过了将所有必需的领域/KDC 添加到您的 krb5.conf 中。 GSSAPI 无法获取未知领域的票证。
上面的示例与我们的森林环境中的 gssapi 完美配合。
为了简化配置工作,您可以配置
krb5.conf以查询 DNS 来查找 KDC。这就是 Windows 所做的。You missed to add all necessary Realms/KDCs into your krb5.conf. GSSAPI cannot obtain a ticket for an unknown realm.
The above examplee works perfectly with gssapi in our forest env.
To ease the configuration work, you may configure your
krb5.confto query DNS to lookup the KDCs. This is what Windows does.