Fwd: Testing 3 Kerberos realms from same server
Greg Hudson
ghudson at mit.edu
Mon May 1 17:27:21 EDT 2017
On 05/01/2017 04:10 PM, David A. Kovacic wrote:
> The perl programs use Authen::Krb5::Admin and the python program uses
> python-kadmin to try the tests - both of which use the Kerberos
> libraries to implement the "init with keytab" routine to produce an
> admin object with which we can manipulate principals, policies, etc.
python-kadmin does not appear to be able to use a non-default realm.
Looking at the source code, PyKAdminObject_new() loads the default realm
into the object's realm field (with no means of caller override), and in
kadmin.c, the various kadm5_init_with_*() calls all provide an empty
params object, not one with a realm set.
Authen::Krb5::Admin looks like it might have the ability to use a
non-default realm, but I'm not as familiar with Perl so it would take me
a while to figure out the details.
> When the realms DON'T match we are getting an error of
>
> {'errno': 43787566L, 'message': 'GSS-API (or Kerberos) error'}
Unfortunately, the error messages for anything going through gssrpc
(including kadmin) are terrible when there is an authentication failure;
we haven't worked out a way to surface the actual error through that
library.
More information about the Kerberos
mailing list