Different realms
Imanuel Greenfeld
imanuel.greenfeld1 at ntlworld.com
Sun Jan 28 06:17:45 EST 2018
Thanks Robbie.
Noted.
Ok, let me explain so that all is clear :-
I'm not on Java, I'm on C++.
I am trying to send HTTP request from machine_a (client) to machine_b
(server) and these 2 realms have no trust between them.
I found a way to get this to work with Java, but I am on C++. So in Java,
there is a way to add the keytab to the HTTP request and all works ok. Java
does it like this :-
public void doWithKeytabFile() {
KerberosRestTemplate restTemplate =
new KerberosRestTemplate("/tmp/user2.keytab",
"user2 at EXAMPLE.ORG");
restTemplate.getForObject("http://neo.example.org:8080/hello",
String.class);
}
As you can see the HTTP request just has one "endpoint" so the keytab needs
to be part of it.
But in C++ I cannot find a way how to achieve the same - in other words,
once I have the keytab in the code, and I separately build the HTTP request,
how do I incorporate that keytab to that HTTP request ?
I can only change the client code - the server code is not available to me.
Once again, I'm trying to find C/C++ good example.
Can you help ?
Many thanks
Imanuel.
-----Original Message-----
From: Robbie Harwood [mailto:rharwood at redhat.com]
Sent: 28 January 2018 09:31
To: Imanuel Greenfeld <imanuel.greenfeld1 at ntlworld.com>; kerberos at mit.edu
Cc: 'Simo Sorce' <simo at redhat.com>
Subject: RE: Different realms
"Imanuel Greenfeld" <imanuel.greenfeld1 at ntlworld.com> writes:
> Robbie Harwood <rharwood at redhat.com> writes:
>> "Imanuel Greenfeld" <imanuel.greenfeld1 at ntlworld.com> writes:
>>
>>> I have 2 domains which there is no trust between them.
>>
>> Do you have two realms (A and B), with two machines (machine_a in A,
>> and machine_b in B), and two services (service_a on machine_a, and
>> service_b on machine_b)?
>
> Yes
>
>> I'm not overly familiar with the Java bindings, but this isn't
>> something one really wants to be doing in Kerberos.
>
> So how can I pass the Kerberos authentication is there is no trust
> between the realms ?
Without a trust, service_a has no way to *prove* to service_b the identity
of the user who is connecting to service_a.
Now, depending on what you're doing, this may not matter - maybe whatever
service_b is doing doesn't care about that. If that's the case, then
service_a just needs a credential to authenticate against service_b with.
(This will come from realm B.)
For making Kerberized HTTP requests, the best approach is, as Simo says, to
use something like mod_auth_gssapi on the server. You're in Java, not
Python, on the client, so you won't be able to use requests-gssapi; I'm not
sure if there is a SPNEGO module for Java.
You can, however, look at how the token is generated by requests-gssapi and
make similar GSSAPI calls from Java - the function is
generate_request_header()
https://github.com/pythongssapi/requests-gssapi/blob/master/requests_gssapi/
gssapi_.py#L139-L150
https://github.com/pythongssapi/requests-gssapi/blob/master/requests_gssapi/
gssapi_.py#L63
>> What is the actual, higher level thing you are trying to accomplish?
>
> As explained, I'm sending HTTP rest JSON request from machine_a to
> machine_b endpoint but I'm getting Unauthorised 401 error, so I'm
> trying to incorporate into the HTTP JSON request the keytab which is
> on machine_a to pass the authentication.
Let me ask a different way. Why are you doing this at all?
On another note: your email replies are very difficult to read. At the very
least, please use blank lines to separate your replies from the text you are
replying to, and make your quoting levels work correctly.
Thanks,
--Robbie
More information about the Kerberos
mailing list