Different realms

Imanuel Greenfeld imanuel.greenfeld1 at ntlworld.com
Fri Jan 26 16:34:30 EST 2018 

Hello Robbie

 

Thanks for the details.

 

Comments below inline.

 

Can you please help ?

 

Thank you

 

Imanuel.

 

 

-----Original Message-----
From: Robbie Harwood [mailto:rharwood at redhat.com] 
Sent: 26 January 2018 12:55
To: Imanuel Greenfeld <imanuel.greenfeld1 at ntlworld.com>; kerberos at mit.edu
Cc: 'Simo Sorce' <simo at redhat.com>
Subject: Re: Different realms

 

"Imanuel Greenfeld" < <mailto:imanuel.greenfeld1 at ntlworld.com>
imanuel.greenfeld1 at ntlworld.com> writes:

 

> I have 2 domains which there is no trust between them.

> 

> I'm running a process on Domain 1.  This needs to submit HTTP rest 

> request to Domain 2 which the KDC is also on the same domain (i.e. 

> domain 2).

 

What does "domain" mean here?  domain is Realm Do you have two realms (A and
B), with two machines (machine_a in A, and machine_b in B), and two services
(service_a on machine_a, and service_b on machine_b)? Yes

 

> I have keytab (for the service account on Domain 2) and kerb5.conf 

> with the details of the two realms.

 

So if I understand correctly: on machine_b, you have a keytab for service_b.
No : on machine_a I have the keytab for service_b And krb5.conf knows the
KDCs and such for both A and B. Yes : krb5.conf is on machine_a but has
entries for both realms.

 

> I found a way to incorporate the keytab into the HTTP request in Java 

> but not in C/C++.

 

I lose you here.  It sounds like you're sending the keytab as part of the
HTTP request?  Yes, that's because I'm sending HTTP JSON request from
machine_a to machine_b endpoint but I'm getting Unauthorised 401 error
because I'm not passing the Kerberos authentication - in Java you can use
RestTemplate which lets you incorporate into the HTTP JSON request the
keytab.   I'm not overly familiar with the Java bindings, but this isn't
something one really wants to be doing in Kerberos.  So how can I pass the
Kerberos authentication is there is no trust between the realms ? 

 

> I know there are functions such as krb5_get_init_creds_keytab but I do 

> not know how to achieve the same in C/C++ (as I did in Java).  So when 

> I have the keytab, how do I incorporate this to the HTTP header ?

 

You shouldn't be passing credentials around for security reasons, and you
shouldn't be putting thins of variable length in headers.  Understood.

 

What is the actual, higher level thing you are trying to accomplish?  As
explained, I'm sending HTTP rest JSON request from machine_a to machine_b
endpoint but I'm getting Unauthorised 401 error, so I'm trying to
incorporate into the HTTP JSON request the keytab which is on machine_a to
pass the authentication.

 

Thanks,

--Robbie

More information about the Kerberos mailing list