http - curl 停止协商 SPNEGO - mech unknown 的 unknown mech-code 0

我尝试使用 curl 连接到 SPNEGO 安全网站(在 Mac OS X 10.10 上，附带 curl)

$curl -vv --negotiate -u : http://xxx-MacBook-Pro.local:8080 
* Rebuilt URL to: http://xxx-MacBook-Pro.local:8080/
*   Trying 192.168.1.6...
* Connected to xxx-MacBook-Pro.local (192.168.1.6) port 8080 (#0)
> GET / HTTP/1.1
> Host: xxx-MacBook-Pro.local:8080
> User-Agent: curl/7.43.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
* gss_init_sec_context() failed: : unknown mech-code 0 for mech unknown
< WWW-Authenticate: Negotiate
< Content-Type: application/json; charset=UTF-8
< Content-Length: 303
< 
* Connection #0 to host xxx-MacBook-Pro.local left intact

Problem seems to be "gss_init_sec_context() failed: : unknown mech-code 0 for mech unknown". curl looks like to be compiled with SPNEGO/GSS correctly?

curl 7.43.0 (x86_64-apple-darwin14.0) libcurl/7.43.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps     pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets

编辑:HTTPie ( https://github.com/ndzou/httpie-negotiate ) 表现出类似的行为。它在第一个服务器响应后停止。 服务器返回带有 401 响应的内容而不仅仅是 header 是否重要？

GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: 192.168.1.6:8080
User-Agent: HTTPie/0.9.2



HTTP/1.1 401 Unauthorized
Content-Length: 209
Content-Type: application/json; charset=UTF-8
WWW-Authenticate: Negotiate

{
    "error": {
        "header": {
            "WWW-Authenticate": "Negotiate"
        }, 
        "reason": null, 
        "root_cause": [
            {
                "header": {
                    "WWW-Authenticate": "Negotiate"
                }, 
                "reason": null, 
                "type": "xxx"
            }
        ], 
        "type": "xxx"
    }, 
    "status": 401
}

我怎样才能让 curl 开始工作并使用正确的机制？

最佳答案

当我没有有效的 kerberos 票据时，我能够重现此行为。

> klist
Credentials cache: API:F8526791-7C98-45B7-87A0-8426165D376A
        Principal: me@DOMAIN.COM

  Issued    Expires    Principal

一旦我通过 kinit 命令获得有效票据，身份验证就会按预期进行:

> kinit
> klist
Credentials cache: API:F90F79C6-6343-4462-BCD3-54F146FBDBCD
        Principal: me@DOMAIN.COM

  Issued                Expires               Principal
Sep  6 09:16:50 2016  Sep  6 19:16:50 2016  krbtgt/DOMAIN.COM@DOMAIN.COM

关于http - curl 停止协商 SPNEGO - mech unknown 的 unknown mech-code 0，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/33195616/

http - curl 停止协商 SPNEGO - mech unknown 的 unknown mech-code 0

上一篇：javascript - jquery.ajax 到底什么时候运行失败回调？

下一篇：http - Docker容器http请求限制