我正在尝试使用以下代码获取cifs服务器的krb5服务票证。我能够获得smb用户的初始信誉。但是,当我试图获得smb服务器的cifs服务票证时,我得到了错误PRINCIPAL_UNKNOWN错误。在数据包跟踪中,我注意到TGS_REQ是用sname"发送的;krbtgt\cifs_server_name.domain_name"而不是cifs\cifs_server_name.domain_name。我不确定我犯了什么错误。。我正确地构建了服务主体(第12-14行(不确定为什么TGS-REQ是用sname krbtgt发送的。
krb5_creds credentials;
krb5_creds* service_credentials;
krb5_principal user_principal = NULL;
krb5_principal service_principal = NULL;
krb5_ccache ccache;
krb5_get_init_creds_opt *options;
memset(&credentials, 0, sizeof(credentials));
char buf[100];
sprintf(buf, "%s@%s", smb2->user, smb2->domain);
ret = krb5_parse_name(context, buf, &user_principal);
sprintf(buf, "%s@%s", "cifs", smb2->target_name);
fprintf(stderr, "buff %sn", buf);
ret = krb5_parse_name(context, buf, &service_principal);
if (ret != 0) {
fprintf(stderr, "krb5_parse_name %dn", ret );
exit(-1);
}
ret = krb5_cc_default(context, &ccache);
if (ret != 0) {
fprintf(stderr, "krb5_parse_name %dn", ret );
exit(-1);
}
ret = krb5_cc_initialize (context, ccache, user_principal);
if (ret != 0) {
fprintf(stderr, "krb5_cc_initialize %dn", ret );
exit(-1);
}
ret = krb5_get_init_creds_opt_alloc(context, &options);
if (ret != 0) {
fprintf(stderr, "krb5_get_init_creds_opt_alloc %dn", ret );
exit(-1);
}
ret = krb5_get_init_creds_opt_set_out_ccache(context, options, ccache);
if (ret != 0) {
fprintf(stderr, "krb5_get_init_creds_opt_set_out_ccache %dn", ret );
exit(-1);
}
// Gets the realm name for the hostname
ret = krb5_get_init_creds_password(context, &credentials, user_principal,
smb2->password, NULL,
NULL, 0, NULL, options);
fprintf(stderr, "krb5_get_init_creds_password %dn", ret);
if (ret != 0) {
fprintf(stderr, "krb5_get_init_creds_password %dn", ret );
//exit(-1);
}
credentials.server = service_principal;
credentials.client = user_principal;
// krb5_tkt_creds_init(context, ccache, credentials, options, &)
ret = krb5_get_credentials(context, 0, ccache, &credentials, &service_credentials);
if (ret != 0) {
fprintf(stderr, "krb5_get_credentials %dn", ret );
exit(-1);
}
fprintf(stderr, "----------------------------------------------------------krb5_get_credentials %d----------------------------------------------------------n", ret);
请帮助解决此问题。
感谢
经过反复试验,我发现了这个问题。服务原则应该是cifs/cifs_server_name.domain_name而不是cifs@cifs_server_name.domain_name.只有用户原则才应该user@domain_name.在编辑了下面的行之后,krb5_get_credentials((能够获得服务票证/
sprintf(buf, "%s/%s", "cifs", smb2->target_name);