Fwd: Testing 3 Kerberos realms from same server

David A. Kovacic david.kovacic at case.edu
Mon May 1 16:10:05 EDT 2017


Unfortunately we are not using kadmin and do not have the ability to set
the "-r" flag in this case.  We are trying to create test programs in
perl and python that test the KDC functionality so that when we upgrade
we can test development, test, and production servers all from the same
machine rather than having to log in to each admin server for each realm
to run our test program. 

The perl programs use Authen::Krb5::Admin and the python program uses
python-kadmin to try the tests - both of which use the Kerberos
libraries to implement the "init with keytab" routine to produce an
admin object with which we can manipulate principals, policies, etc.

The keytabs have the appropriate services and hosts defined in them and
we are using a connection "client" in both the perl and python instances of

<admin service>/<host of client>@<realm> (eg:
"my-admin at myhost@MYREALM.EXAMPLE.COM")

and the keytab which is correctly defined in the krb5.conf file.  We are
pretty sure the keytab and krb5.conf file are correct since we get the
proper admin object when the default realm and the test realm are the
same.  When the realms DON'T match we are getting an error of

{'errno': 43787566L, 'message': 'GSS-API (or Kerberos) error'}



On 5/1/17 3:17 PM, Tareq Alrashid wrote:
>
>
>> Begin forwarded message:
>>
>> *From: *Greg Hudson <ghudson at mit.edu <mailto:ghudson at mit.edu>>
>> *Subject: **Re: Testing 3 Kerberos realms from same server*
>> *Date: *May 1, 2017 at 2:47:19 PM EDT
>> *To: *Tareq Alrashid <tareq at qerat.com <mailto:tareq at qerat.com>>,
>> kerberos at mit.edu <mailto:kerberos at mit.edu>
>>
>> On 05/01/2017 11:04 AM, Tareq Alrashid wrote:
>> [...]
>>> Code written in Python simply loops through each of the 3 realms,
>>> kinit with the keytab performs a few  kadmin operations and either
>>> passes or fails.
>>>
>>> The strange result is that only the realm name set by “default_realm
>>> =“, pass and all others fail! If I manually change value to one of
>>> the other realm names; yep! same corresponding result.
>>
>> Without specifics it's hard to be sure, but my guess would be that you
>> need to use the kadmin -r option.
>>
>> I recently wrote up some documentation text going over the effects of
>> the default_realm setting; you can find it here:
>>
>>
>> http://web.mit.edu/kerberos/krb5-latest/doc/admin/host_config.html#default-realm
>

-- 
David A. Kovacic
Sr. Technical Lead
Enterprise Systems
University Technology, [U]Tech
Case Western Reserve University
Email:david.kovacic at case.edu <3D%22mailto:david.kovacic at case.edu%22>
Phone: 216.368.5892



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3691 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20170501/7092324d/attachment.bin


More information about the Kerberos mailing list