search

jcmturner / gokrb5

Pure Go Kerberos library for clients and services
Apache License 2.0
717 stars 243 forks source link

Unable to pass authentication #542

Closed youaodu closed 2 months ago

youaodu commented 2 months ago

Hello, I tried to log in using gokrb5v8 and it failed. Exception information: KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (6) KDC_ERR_C_PRINCIPAL_UNKNOWN Client not found in Kerberos database - CLIENT_NOT_FOUND

TestCode:

package main

import (
    "github.com/jcmturner/gokrb5/v8/client"
    "github.com/jcmturner/gokrb5/v8/config"
    "github.com/jcmturner/gokrb5/v8/keytab"
)

func main() {
    krbConf, err := config.Load("security_krb5.conf")
    if err != nil {
        panic(err)
    }

    keytabFile, err := keytab.Load("security_venus.keytab")
    if err != nil {
        panic(err)
    }
    krbclient := client.NewWithKeytab("venus@HADOOP.QIYI.COM", "HADOOP.QIYI.COM", keytabFile, krbConf)
    err = krbclient.Login()
    if err != nil {
        panic(err)
    }
}

I can successfully log in to the configuration files involved in the code in Java language. I found in the debugger that the ReqBody of gokrb5 is not parsed the same as Java. I am not sure if it is because of this reason.

image image

Diff the ReqBody of the two tools, Krb5 has several fields that are displayed differently.

niudaii commented 3 weeks ago

You can try username without realm.

krbclient := client.NewWithKeytab("venus", "HADOOP.QIYI.COM", keytabFile, krbConf)

youaodu commented 3 weeks ago

You can try username without realm.

krbclient := client.NewWithKeytab("venus", "HADOOP.QIYI.COM", keytabFile, krbConf)

u are right.