问题描述
我正在查看以下内容: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/kinit.html ,并注意到它说我可以使用密码标志".我不知道该怎么做?
I was looking at this: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/kinit.html and noticed that it says I could use the "password flag". I am not sure how to do this though?
我可以输入kinit
的密码而不提示我吗?
Can I enter the password for kinit
without it prompting me?
例如当前:
如果我输入:
$ kinit test@REALM
我得到回应:
test@REALM's password:
,我必须输入密码.无论如何,我可以输入 kinit test @ REALM密码这样的内容,这样它不会提示我吗?
and I have to enter the password. Is there anyway I can input something like kinit test@REALM password so it doesn't prompt me?
推荐答案
为该主体使用密钥表!
详细:我如何维护服务密钥表.
In detail: How do I a service keytab.
有多种方法,但我将假设以下内容:您正在将Active Directory作为KDC实现运行,后端在Unix或类似Unix的操作系统(例如CentOS,FreeBSD,HP-UX等)上运行.已安装MIT Kerberos或Heimdal,并且已正确配置krb5.conf
.
There are multiple ways, but I will assume the following: You are running Active Directory as your KDC implementation, you backend runs on a Unix or Unix-like OS like CentOS, FreeBSD, HP-UX, etc. You have also MIT Kerberos or Heimdal installed and the krb5.conf
is properly configured.
通过程序包/端口管理器安装 mskutil(1)
或从源代码进行编译.如果选择编译,请确保计算机上存在所有依赖项.
Install mskutil(1)
via package/ports manager or compile from source. If you choose to compile, make sure that all dependencies are present on your machine.
现在运行mskutil
:
$ /usr/local/sbin/msktutil update --verbose --use-service-account --account-name <samAccountName> \
--old-account-password <password> --dont-change-password --keytab <path>
用数据替换samAccountName
和password
.如果您适合使用自动生成的密码,请忽略dont-change-password
.调整path
您要在其中存储密钥表文件的位置.
Replace samAccountName
and password
with your data. Leave out dont-change-password
if you are fine with autogenerated passwords. Adjust path
where you want to store the keytab file.
样品运行:
$ /usr/local/sbin/msktutil update --verbose --use-service-account --account-name uawet8er \
> --old-account-password '...' --dont-change-password --keytab uawet8er.keytab
-- execute: Skipping creation of new password
-- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain AD.EXAMPLE.COM for procotol tcp
-- validate: Found DC: dc01.ad.example.com. Checking availability...
-- get_dc_host: Found preferred Domain Controller: dc01.ad.example.com
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-y6WVDM
-- destroy_g_context: Destroying Kerberos Context
-- initialize_g_context: Creating Kerberos Context
-- finalize_exec: SAM Account Name is: uawet8er
-- try_machine_password: Trying to authenticate for uawet8er with password
-- create_default_machine_password: Default machine password for uawet8er is uawet8er
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Vorauthentifizierung fehlgeschlagen)
-- try_machine_password: Authentication with password failed
-- try_machine_supplied_password: Trying to authenticate for uawet8er with supplied password
-- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-ZUutAC
-- finalize_exec: Authenticated using method 6
-- LDAPConnection: Connecting to LDAP server: dc01.ad.example.com
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
-- ldap_get_base_dn: Determining default LDAP base: dc=AD,dc=EXAMPLE,dc=COM
-- get_default_ou: Determining default OU: CN=Users,DC=ad,DC=example,DC=com
-- ldap_check_account: Checking that a service account for uawet8er exists
-- ldap_check_account: Checking service account - found
-- ldap_check_account: Found userAccountControl = 0x200
-- ldap_check_account: Found supportedEncryptionTypes = 28
-- ldap_check_account: Found User Principal: uawet8er
-- ldap_check_account_strings: Inspecting (and updating) service account attributes
-- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28
-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0
-- ldap_set_userAccountControl_flag: userAccountControl not changed 0x200
-- ldap_get_kvno: KVNO is 8
-- remove_keytab_entries: Trying to remove entries for uawet8er from keytab
-- execute: Updating all entries for service account uawet8er in the keytab WRFILE:uawet8er.keytab
-- update_keytab: Updating all entries for uawet8er
-- add_principal_keytab: Adding principal to keytab: uawet8er
-- get_salt: Using salt of AD.EXAMPLE.COMuawet8er
-- add_principal_keytab: Adding entry of enctype 0x17
-- add_principal_keytab: Adding entry of enctype 0x11
-- add_principal_keytab: Adding entry of enctype 0x12
-- add_principal_keytab: Adding principal to keytab: uawet8er
-- get_salt: Using salt of AD.EXAMPLE.COMuawet8er
-- add_principal_keytab: Adding entry of enctype 0x17
-- add_principal_keytab: Adding entry of enctype 0x11
-- add_principal_keytab: Adding entry of enctype 0x12
-- add_keytab_entries: Trying to add missing entries for uawet8er to keytab
现在使用kinit
检查您的密钥表:
Now check your keytab with kinit
:
$ kinit -k -t uawet8er.keytab uawet8er
$ klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_722
Standard-Principal: [email protected]
Valid starting Expires Service principal
24.07.2019 13:15:45 24.07.2019 23:15:45 krbtgt/[email protected]
erneuern bis 25.07.2019 13:15:45
此密钥表现在可以与JGSS的login.conf
或KRB5_CLIENT_KTNAME
和MIT Kerberos一起使用.
This keytab is now ready to be used with your login.conf
for JGSS or with KRB5_CLIENT_KTNAME
and MIT Kerberos.
这篇关于Kerberos kinit输入密码而无提示的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!