我尝试使用curl连接到SPNEGO安全网站(在Mac OS X 10.10上发送卷曲)
$curl -vv --negotiate -u : http://xxx-MacBook-Pro.local:8080 * Rebuilt URL to: http://xxx-MacBook-Pro.local:8080/ * Trying 192.168.1.6... * Connected to xxx-MacBook-Pro.local (192.168.1.6) port 8080 (#0) > GET / HTTP/1.1 > Host: xxx-MacBook-Pro.local:8080 > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 401 Unauthorized * gss_init_sec_context() failed: : unknown mech-code 0 for mech unknown < WWW-Authenticate: Negotiate < Content-Type: application/json; charset=UTF-8 < Content-Length: 303 < * Connection #0 to host xxx-MacBook-Pro.local left intact
问题似乎是“gss_init_sec_context()失败::未知的mech-code 0 for mech unknown”. curl看起来好像是用SPNEGO / GSS正确编译的?
curl 7.43.0 (x86_64-apple-darwin14.0) libcurl/7.43.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets
编辑:HTTPie(https://github.com/ndzou/httpie-negotiate)显示类似的行为.它在第一次服务器响应后停止.服务器返回带有401响应的内容而不仅仅是标题是否重要?
GET / HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate Connection: keep-alive Host: 192.168.1.6:8080 User-Agent: HTTPie/0.9.2 HTTP/1.1 401 Unauthorized Content-Length: 209 Content-Type: application/json; charset=UTF-8 WWW-Authenticate: Negotiate { "error": { "header": { "WWW-Authenticate": "Negotiate" }, "reason": null, "root_cause": [ { "header": { "WWW-Authenticate": "Negotiate" }, "reason": null, "type": "xxx" } ], "type": "xxx" }, "status": 401 }
我怎样才能使卷曲得到工作并使用正确的机械?
最佳答案 当我没有有效的kerberos票时,我能够重现这种行为.
> klist
Credentials cache: API:F8526791-7C98-45B7-87A0-8426165D376A
Principal: me@DOMAIN.COM
Issued Expires Principal
只要我通过kinit命令获得有效票证,验证就会按预期进行:
> kinit
> klist
Credentials cache: API:F90F79C6-6343-4462-BCD3-54F146FBDBCD
Principal: me@DOMAIN.COM
Issued Expires Principal
Sep 6 09:16:50 2016 Sep 6 19:16:50 2016 krbtgt/DOMAIN.COM@DOMAIN.COM