"gss_import_name()" and "default_realm"

Kevin kevin.guillemot at laposte.net
Tue Mar 22 17:17:46 EDT 2016 

Hi everybody, 

First of all, I would like to tell you that I'm French, and I apologize for
my speaking.

So, here is the actual configuration of my network :
- One KDC on "TESTING.TR" domain (Debian-8.3.0) 
- One client to that domain (Debian-8.3.0), 
- An other KDC on "KERBEROS.KR" domain (Debian-8.3.0),
- An other client to that second domain (Debian-8.3.0),
- And a last Debian-8.3.0 machine on which a Python script based on
HTTPServer run with the "python-kerberos" library.

All is working fine, when I use a client to reach the python script, it let
me access the "/index.html" page if I have a TGT. 
The difference between the hosts's domains is made by "/etc/hosts" files.

Then, to contact the appropriate KDC depending on which client is requesting
the python script, I use a keytab with the 2 following services on it :
    - HTTP/webapp.testing.tr at TESTING.TR
    - HTTP/webapp.kerberos.kr at KERBEROS.KR

So in my script, I specified the two services by :
    - HTTP at webapp.testing.tr
    - HTTP at webapp.kerberos.kr

Again, All is working fine ! (On Debian....)

Indeed, when I try to use that script on a FreeBSD 10.1, I meet the
following problem :

I have to specify the "default_realm" in the /etc/krb5.conf, if not the
"authGSSServerInit("HTTP at bsd."+realm)" method can't initialise the kerberos
context with the keytab. I am persuaded that the "gss_import_name()"
function failed to put "@KERBEROS.KR" or "@TESTING.TR" according to the
service "bsd.testing.tr" or "bsd.kerberos.kr".

So I would like to know how to set the service without setting the
"default_realm" in /etc/krb5.conf.

In Debian-8.3.0 I don't have this problem, the "default_realm" is not
specified and all is working fine..

Any help would be very appreciated, I have read the python-kerberos and
libkrb5-1.4 source code but I can't find any solution to my problem,
apparently it is the  "gss_import_name()" function that cause problem.

I can past the content of my configuration files if you want.

Thank you for any help !

Kevin











--
View this message in context: http://kerberos.996246.n3.nabble.com/gss-import-name-and-default-realm-tp45171.html
Sent from the Kerberos - Dev mailing list archive at Nabble.com.

More information about the krbdev mailing list