curl 停止协商 SPNEGO - 未知 mech-code 0 机械未知

Question

我尝试使用 curl 连接到 SPNEGO 安全网站（在 Mac OS X 10.10 上，附带 curl）

$curl -vv --negotiate -u : http://xxx-MacBook-Pro.local:8080 
* Rebuilt URL to: http://xxx-MacBook-Pro.local:8080/
*   Trying 192.168.1.6...
* Connected to xxx-MacBook-Pro.local (192.168.1.6) port 8080 (#0)
> GET / HTTP/1.1
> Host: xxx-MacBook-Pro.local:8080
> User-Agent: curl/7.43.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
* gss_init_sec_context() failed: : unknown mech-code 0 for mech unknown
< WWW-Authenticate: Negotiate
< Content-Type: application/json; charset=UTF-8
< Content-Length: 303
< 
* Connection #0 to host xxx-MacBook-Pro.local left intact

问题似乎是 "gss_init_sec_context() failed: : unknown mech-code 0 for mech unknown"。 curl 看起来像用 SPNEGO/GSS 正确编译？

curl 7.43.0 (x86_64-apple-darwin14.0) libcurl/7.43.0 SecureTransport zlib/1.2.5
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps     pop3 pop3s rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets

编辑：HTTPie (https://github.com/ndzou/httpie-negotiate) 显示了类似的行为。它在第一个服务器响应后停止。 服务器 return 满足 401 响应而不仅仅是 headers 是否重要？

GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: 192.168.1.6:8080
User-Agent: HTTPie/0.9.2



HTTP/1.1 401 Unauthorized
Content-Length: 209
Content-Type: application/json; charset=UTF-8
WWW-Authenticate: Negotiate

{
    "error": {
        "header": {
            "WWW-Authenticate": "Negotiate"
        }, 
        "reason": null, 
        "root_cause": [
            {
                "header": {
                    "WWW-Authenticate": "Negotiate"
                }, 
                "reason": null, 
                "type": "xxx"
            }
        ], 
        "type": "xxx"
    }, 
    "status": 401
}

如何让 curl 开始工作并使用正确的机制？

Answer 1

当我没有有效的 kerberos 票证时，我能够重现此行为。

> klist
Credentials cache: API:F8526791-7C98-45B7-87A0-8426165D376A
        Principal: me@DOMAIN.COM

  Issued    Expires    Principal

一旦我通过 kinit 命令获得有效票据，身份验证就会按预期进行：

> kinit
> klist
Credentials cache: API:F90F79C6-6343-4462-BCD3-54F146FBDBCD
        Principal: me@DOMAIN.COM

  Issued                Expires               Principal
Sep  6 09:16:50 2016  Sep  6 19:16:50 2016  krbtgt/DOMAIN.COM@DOMAIN.COM

curl 停止协商 SPNEGO - 未知 mech-code 0 机械未知

curl stops negotiating SPNEGO - unknown mech-code 0 for mech unknown

curl

kerberos

http

spnego