Fwd: Testing 3 Kerberos realms from same server

[Russ Allbery]

"David A. Kovacic" <david.kovacic at case.edu> writes:

> Unfortunately we are not using kadmin and do not have the ability to set
> the "-r" flag in this case.  We are trying to create test programs in
> perl and python that test the KDC functionality so that when we upgrade
> we can test development, test, and production servers all from the same
> machine rather than having to log in to each admin server for each realm
> to run our test program.

> The perl programs use Authen::Krb5::Admin and the python program uses
> python-kadmin to try the tests - both of which use the Kerberos
> libraries to implement the "init with keytab" routine to produce an
> admin object with which we can manipulate principals, policies, etc.

For Perl, create an Authen::Krb5::Config object, set realm, and pass it
into your other kadmin operations as the $krb5_config parameter.  See the
Authen::Krb5::Config documentation.  I assume python-kadmin has some
similar mechanism.

> The keytabs have the appropriate services and hosts defined in them and
> we are using a connection "client" in both the perl and python instances
> of

> <admin service>/<host of client>@<realm> (eg:
> "my-admin at myhost@MYREALM.EXAMPLE.COM")

> and the keytab which is correctly defined in the krb5.conf file.  We are
> pretty sure the keytab and krb5.conf file are correct since we get the
> proper admin object when the default realm and the test realm are the
> same.

You have to explicitly set the realm in your authentication call if it
doesn't match the default realm.  There's no way that Kerberos can figure
this out from the keytab since cross-realm authentication is valid in
Kerberos, so you may well want to be using a key from one realm to
authenticate to a different realm.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>