[37974] in Kerberos
Re: Fwd: Testing 3 Kerberos realms from same server
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon May 1 17:27:43 2017
To: "David A. Kovacic" <david.kovacic@case.edu>,
Tareq Alrashid
<tma@case.edu>, David Kovacic <dak@case.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <a96c9e9f-d6e8-e9e9-6372-2b975ec9706f@mit.edu>
Date: Mon, 1 May 2017 17:27:21 -0400
MIME-Version: 1.0
In-Reply-To: <5e6b1369-5fd6-f32d-78a9-009d8e965229@case.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 05/01/2017 04:10 PM, David A. Kovacic wrote:
> The perl programs use Authen::Krb5::Admin and the python program uses
> python-kadmin to try the tests - both of which use the Kerberos
> libraries to implement the "init with keytab" routine to produce an
> admin object with which we can manipulate principals, policies, etc.
python-kadmin does not appear to be able to use a non-default realm.
Looking at the source code, PyKAdminObject_new() loads the default realm
into the object's realm field (with no means of caller override), and in
kadmin.c, the various kadm5_init_with_*() calls all provide an empty
params object, not one with a realm set.
Authen::Krb5::Admin looks like it might have the ability to use a
non-default realm, but I'm not as familiar with Perl so it would take me
a while to figure out the details.
> When the realms DON'T match we are getting an error of
>
> {'errno': 43787566L, 'message': 'GSS-API (or Kerberos) error'}
Unfortunately, the error messages for anything going through gssrpc
(including kadmin) are terrible when there is an authentication failure;
we haven't worked out a way to surface the actual error through that
library.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
