Fwd: Testing 3 Kerberos realms from same server
David A. Kovacic
david.kovacic at case.edu
Wed May 3 12:22:58 EDT 2017
Many thanks for the pointers regarding this. We are successfully
running cross-realm tests in at least the perl environment. I do not
believe that python has a mechanism to allow the same but will
investigate further on that as time permits.
On 5/1/17 7:37 PM, Russ Allbery wrote:
> "David A. Kovacic" <david.kovacic at case.edu> writes:
>
>> Unfortunately we are not using kadmin and do not have the ability to set
>> the "-r" flag in this case. We are trying to create test programs in
>> perl and python that test the KDC functionality so that when we upgrade
>> we can test development, test, and production servers all from the same
>> machine rather than having to log in to each admin server for each realm
>> to run our test program.
>> The perl programs use Authen::Krb5::Admin and the python program uses
>> python-kadmin to try the tests - both of which use the Kerberos
>> libraries to implement the "init with keytab" routine to produce an
>> admin object with which we can manipulate principals, policies, etc.
> For Perl, create an Authen::Krb5::Config object, set realm, and pass it
> into your other kadmin operations as the $krb5_config parameter. See the
> Authen::Krb5::Config documentation. I assume python-kadmin has some
> similar mechanism.
>
>> The keytabs have the appropriate services and hosts defined in them and
>> we are using a connection "client" in both the perl and python instances
>> of
>> <admin service>/<host of client>@<realm> (eg:
>> "my-admin at myhost@MYREALM.EXAMPLE.COM")
>> and the keytab which is correctly defined in the krb5.conf file. We are
>> pretty sure the keytab and krb5.conf file are correct since we get the
>> proper admin object when the default realm and the test realm are the
>> same.
> You have to explicitly set the realm in your authentication call if it
> doesn't match the default realm. There's no way that Kerberos can figure
> this out from the keytab since cross-realm authentication is valid in
> Kerberos, so you may well want to be using a key from one realm to
> authenticate to a different realm.
>
--
David A. Kovacic
Sr. Technical Lead
Enterprise Systems
University Technology, [U]Tech
Case Western Reserve University
Email:david.kovacic at case.edu <3D%22mailto:david.kovacic at case.edu%22>
Phone: 216.368.5892
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3691 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20170503/f02475e6/attachment.bin
More information about the Kerberos
mailing list