Different realms
Robbie Harwood
rharwood at redhat.com
Sun Jan 28 04:30:39 EST 2018
"Imanuel Greenfeld" <imanuel.greenfeld1 at ntlworld.com> writes:
> Robbie Harwood <rharwood at redhat.com> writes:
>> "Imanuel Greenfeld" <imanuel.greenfeld1 at ntlworld.com> writes:
>>
>>> I have 2 domains which there is no trust between them.
>>
>> Do you have two realms (A and B), with two machines (machine_a in A,
>> and machine_b in B), and two services (service_a on machine_a, and
>> service_b on machine_b)?
>
> Yes
>
>> I'm not overly familiar with the Java bindings, but this isn't
>> something one really wants to be doing in Kerberos.
>
> So how can I pass the Kerberos authentication is there is no trust
> between the realms ?
Without a trust, service_a has no way to *prove* to service_b the
identity of the user who is connecting to service_a.
Now, depending on what you're doing, this may not matter - maybe
whatever service_b is doing doesn't care about that. If that's the
case, then service_a just needs a credential to authenticate against
service_b with. (This will come from realm B.)
For making Kerberized HTTP requests, the best approach is, as Simo says,
to use something like mod_auth_gssapi on the server. You're in Java,
not Python, on the client, so you won't be able to use requests-gssapi;
I'm not sure if there is a SPNEGO module for Java.
You can, however, look at how the token is generated by requests-gssapi
and make similar GSSAPI calls from Java - the function is
generate_request_header()
https://github.com/pythongssapi/requests-gssapi/blob/master/requests_gssapi/gssapi_.py#L139-L150
https://github.com/pythongssapi/requests-gssapi/blob/master/requests_gssapi/gssapi_.py#L63
>> What is the actual, higher level thing you are trying to accomplish?
>
> As explained, I'm sending HTTP rest JSON request from machine_a to
> machine_b endpoint but I'm getting Unauthorised 401 error, so I'm
> trying to incorporate into the HTTP JSON request the keytab which is
> on machine_a to pass the authentication.
Let me ask a different way. Why are you doing this at all?
On another note: your email replies are very difficult to read. At the
very least, please use blank lines to separate your replies from the
text you are replying to, and make your quoting levels work correctly.
Thanks,
--Robbie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20180128/c58b4d55/attachment.bin
More information about the Kerberos
mailing list