[37975] in Kerberos
Re: Fwd: Testing 3 Kerberos realms from same server
daemon@ATHENA.MIT.EDU (David A. Kovacic)
Mon May 1 19:08:54 2017
To: Tareq Alrashid <tma@case.edu>, David Kovacic <dak@case.edu>,
Greg Hudson <ghudson@mit.edu>
From: "David A. Kovacic" <david.kovacic@case.edu>
Message-ID: <5e6b1369-5fd6-f32d-78a9-009d8e965229@case.edu>
Date: Mon, 1 May 2017 16:10:05 -0400
MIME-Version: 1.0
In-Reply-To: <83BC6D13-D6EE-4CF0-AF59-8588F5F6EA3E@case.edu>
Cc: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============3007856343075662291=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============3007856343075662291==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha-256; boundary="------------ms010809040606080802040800"
This is a cryptographically signed message in MIME format.
--------------ms010809040606080802040800
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Unfortunately we are not using kadmin and do not have the ability to set
the "-r" flag in this case. We are trying to create test programs in
perl and python that test the KDC functionality so that when we upgrade
we can test development, test, and production servers all from the same
machine rather than having to log in to each admin server for each realm
to run our test program.=20
The perl programs use Authen::Krb5::Admin and the python program uses
python-kadmin to try the tests - both of which use the Kerberos
libraries to implement the "init with keytab" routine to produce an
admin object with which we can manipulate principals, policies, etc.
The keytabs have the appropriate services and hosts defined in them and
we are using a connection "client" in both the perl and python instances =
of
<admin service>/<host of client>@<realm> (eg:
"my-admin@myhost@MYREALM.EXAMPLE.COM")
and the keytab which is correctly defined in the krb5.conf file. We are
pretty sure the keytab and krb5.conf file are correct since we get the
proper admin object when the default realm and the test realm are the
same. When the realms DON'T match we are getting an error of
{'errno': 43787566L, 'message': 'GSS-API (or Kerberos) error'}
On 5/1/17 3:17 PM, Tareq Alrashid wrote:
>
>
>> Begin forwarded message:
>>
>> *From: *Greg Hudson <ghudson@mit.edu <mailto:ghudson@mit.edu>>
>> *Subject: **Re: Testing 3 Kerberos realms from same server*
>> *Date: *May 1, 2017 at 2:47:19 PM EDT
>> *To: *Tareq Alrashid <tareq@qerat.com <mailto:tareq@qerat.com>>,
>> kerberos@mit.edu <mailto:kerberos@mit.edu>
>>
>> On 05/01/2017 11:04 AM, Tareq Alrashid wrote:
>> [...]
>>> Code written in Python simply loops through each of the 3 realms,
>>> kinit with the keytab performs a few kadmin operations and either
>>> passes or fails.
>>>
>>> The strange result is that only the realm name set by =E2=80=9Cdefaul=
t_realm
>>> =3D=E2=80=9C, pass and all others fail! If I manually change value to=
one of
>>> the other realm names; yep! same corresponding result.
>>
>> Without specifics it's hard to be sure, but my guess would be that you=
>> need to use the kadmin -r option.
>>
>> I recently wrote up some documentation text going over the effects of
>> the default_realm setting; you can find it here:
>>
>>
>> http://web.mit.edu/kerberos/krb5-latest/doc/admin/host_config.html#def=
ault-realm
>
--=20
David A. Kovacic
Sr. Technical Lead
Enterprise Systems
University Technology, [U]Tech
Case Western Reserve University
Email:david.kovacic@case.edu <3D%22mailto:david.kovacic@case.edu%22>
Phone: 216.368.5892
--------------ms010809040606080802040800
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CpUwggTqMIID0qADAgECAhAnmj8Jxq/Gka/a6jcb76ZvMA0GCSqGSIb3DQEBBQUAMIGuMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYD
VQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRy
dXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24g
YW5kIEVtYWlsMB4XDTExMDIxMTAwMDAwMFoXDTIwMDUzMDEwNDgzOFowZDELMAkGA1UEBhMC
VVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xLjAsBgNVBAMTJUlu
Q29tbW9uIFN0YW5kYXJkIEFzc3VyYW5jZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDT4BUCe/l2gun+kZbz8B4haLUNYTC+CZdm3R0jp/sfhng65pdqx8Gk
f4lNs55ZszgLHzkiawIoEr8pltE19JUqbAaYHBlkXKZ+RW4ga5G4dA88U8iDGWsRo8cshQUe
h9TLoAgFBi5miT14p4OTVLfYF+rT7n1m1DTeicoZ/TfK0IPeUWjYWvV0692CAlr6IM6qz0Ar
08iehemBM5vW8U+RRdmNMykcXQeahen/yRKyTAxCKu0w9NfcmbXPC4Dqed6nI2KftemWotay
GkXQ2BMdknn0hIE9thWP7m8sGsbsXayTjwtHTTo7CdXeBiI6EZWQb057H3IuJ5EzPohXwr8J
AgMBAAGjggFLMIIBRzAfBgNVHSMEGDAWgBSJgmd9xJ0mcABLtFBIfN49rgRufTAdBgNVHQ4E
FgQU6Ne9lqrd0AjvoTOeXlmYPBK3m5EwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
Af8CAQAwEQYDVR0gBAowCDAGBgRVHSAAMFgGA1UdHwRRME8wTaBLoEmGR2h0dHA6Ly9jcmwu
dXNlcnRydXN0LmNvbS9VVE4tVVNFUkZpcnN0LUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kRW1h
aWwuY3JsMHQGCCsGAQUFBwEBBGgwZjA9BggrBgEFBQcwAoYxaHR0cDovL2NydC51c2VydHJ1
c3QuY29tL1VUTkFkZFRydXN0Q2xpZW50X0NBLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29j
c3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEADu224DifOmiiAcHwhOUm7vyB
0teMyRskQ6DJsYXmn+TgKtFE3vKgcK2IGChIlhMSR0n5yjmjV9fNU4VNt/cvH9mrU3ppB07I
Qr/i7F47e/Q+sqRJlpEWe/lPal5CcjHR00OhOQWJPsu10ek+EcaEdc41v/Ut6KKr9aQBTnAc
JmWrFsO9MuYpEC9rarJI1nAGBvUo6FR+zBDFaa4R6QXrOzjBYlrQHhjpXE1T+PUq4d2SNYT6
JY8fxyNZGviiJaVWYuLeOKzU3zNXYgE4KlEqO0y5R7Bx6ckhwWGO0mOtukkrIgCsNjUQSA5e
wewdsdtiXpMD6uVQSO9RqyGK+2DFwjCCBaMwggSLoAMCAQICEGGzNn9dTGYih9fqCSfAGtEw
DQYJKoZIhvcNAQEFBQAwZDELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8G
A1UECxMISW5Db21tb24xLjAsBgNVBAMTJUluQ29tbW9uIFN0YW5kYXJkIEFzc3VyYW5jZSBD
bGllbnQgQ0EwHhcNMTYwNzA3MDAwMDAwWhcNMTcwNzA3MjM1OTU5WjCBzzETMBEGA1UEERMK
NDQxMDYtNzAxOTEoMCYGA1UEChMfQ2FzZSBXZXN0ZXJuIFJlc2VydmUgVW5pdmVyc2l0eTEc
MBoGA1UECRMTMTA5MDAgRXVjbGlkIEF2ZW51ZTELMAkGA1UECBMCT0gxEjAQBgNVBAcTCUNs
ZXZlbGFuZDELMAkGA1UEBhMCVVMxGzAZBgNVBAMTEkRhdmlkIEFsYW4gS292YWNpYzElMCMG
CSqGSIb3DQEJARYWZGF2aWQua292YWNpY0BjYXNlLmVkdTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAK9ZIhzry3AgFGJ85juiDZONE69AnzKGEkzWe+6SMk2GOvavxbr1GIzs
lq6W+HFjYFAWmjYhM9t5WCbw3wllYCMAgeG36TXO5OVYo7wySwlVs1GY/Pub76IbOUbUoXEb
/F04OdK0EwQJMnTjY818Bg7iuSNdag1u3Lz7X5X1o97EL8CRSlZiSMdoJ+SrcpsoMweYBrY0
O3hVpmCOixOsv1uo4dV7BktBy+I65u6XbsaqcNOvpyNh/yNqNtzkEcIq23XGhGift+MdhLqz
dY56naVZxSUNe7v4v8cvjBWN/N64bKVuMA3WTcMLD+8M7yFnupasV9Rgn+3SoUguzLlUj+sC
AwEAAaOCAeMwggHfMB8GA1UdIwQYMBaAFOjXvZaq3dAI76Eznl5ZmDwSt5uRMB0GA1UdDgQW
BBS4/6PIRFrtfLp+CB+uuTcyYhPrfDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAd
BgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwagYDVR0gBGMwYTBfBg0rBgEEAa4jAQQD
AwABME4wTAYIKwYBBQUHAgEWQGh0dHBzOi8vd3d3LmluY29tbW9uLm9yZy9jZXJ0L3JlcG9z
aXRvcnkvY3BzX3N0YW5kYXJkX2NsaWVudC5wZGYwTgYDVR0fBEcwRTBDoEGgP4Y9aHR0cDov
L2NybC5pbmNvbW1vbi5vcmcvSW5Db21tb25TdGFuZGFyZEFzc3VyYW5jZUNsaWVudENBLmNy
bDCBgAYIKwYBBQUHAQEEdDByMEoGCCsGAQUFBzAChj5odHRwOi8vY2VydC5pbmNvbW1vbi5v
cmcvSW5Db21tb25TdGFuZGFyZEFzc3VyYW5jZUNsaWVudENBLmNydDAkBggrBgEFBQcwAYYY
aHR0cDovL29jc3AuaW5jb21tb24ub3JnMCEGA1UdEQQaMBiBFmRhdmlkLmtvdmFjaWNAY2Fz
ZS5lZHUwDQYJKoZIhvcNAQEFBQADggEBACMBU1mLW15ykSQe/7MzQUOCsILYxeJ4ICyYAMAK
TvgxreOqopmAOLRKsnMaF1Mjw1OYPi+ERD99UALSaCDWq9+Ff5W3YR4lmSjtK/ozuO1wkxk8
rUmPtXSYokK9Ujh1LdD+10vdGz4rp05HS0aMkgURR5Bqnesq/sqXRzPx/Qj/rkGYPDUNPa97
8oorVH3G/0wOtB1OaC/IZbJfJd62mBaJYZNHQAGi+GST12cyxKfQJkm3X6Xv2LyX7EvL8TtP
gMWVEpZkzdhv9GpFFy3i3u9d8aaK0CHfXLDrJ2B4p24yoNIsBOzVP9ScNkW2/ofA+EQaC2Be
G0Y4kaNDOsu67bsxggOUMIIDkAIBATB4MGQxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRl
cm5ldDIxETAPBgNVBAsTCEluQ29tbW9uMS4wLAYDVQQDEyVJbkNvbW1vbiBTdGFuZGFyZCBB
c3N1cmFuY2UgQ2xpZW50IENBAhBhszZ/XUxmIofX6gknwBrRMA0GCWCGSAFlAwQCAQUAoIIB
7TAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA1MDEyMDEw
MDVaMC8GCSqGSIb3DQEJBDEiBCCi5IsW7p+PBhyhSwUooiSDVWuPs4mWXo9fN4TL3NKqqzBs
BgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcw
DgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEo
MIGHBgkrBgEEAYI3EAQxejB4MGQxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIx
ETAPBgNVBAsTCEluQ29tbW9uMS4wLAYDVQQDEyVJbkNvbW1vbiBTdGFuZGFyZCBBc3N1cmFu
Y2UgQ2xpZW50IENBAhBhszZ/XUxmIofX6gknwBrRMIGJBgsqhkiG9w0BCRACCzF6oHgwZDEL
MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xLjAs
BgNVBAMTJUluQ29tbW9uIFN0YW5kYXJkIEFzc3VyYW5jZSBDbGllbnQgQ0ECEGGzNn9dTGYi
h9fqCSfAGtEwDQYJKoZIhvcNAQEBBQAEggEAQAdDYG6HfXXRI1a3PYjLeaVWYK/kJE7ccPGH
+qi4G7KZRg/c0zaskfUl1itjPt37tx+kSZfWDAkJSzq142Pd6XZ4kg2GIY//VVleOGKZcuM2
ihiZy/EHDjvkF5twt2WaMDzU9u3SQ16ht+KmAvvryAGT2seGjPML4Ig5BMxN+jmLA/1b9w5l
96hIf1SkAUKXUm9zfD6QbRL+871p/8PBHLdRPBKjcWpzWq9zLjGqPNlrPrrFkUbV7cGS79G7
swLGOC7NPvXiD86E6kAJqMCCRX8PI9BpsCBDfVBUoejuoiEzvWwOVtlernYGl4VP4E1KHBx1
asGcW3+cUFDWS/J0fwAAAAAAAA==
--------------ms010809040606080802040800--
--===============3007856343075662291==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============3007856343075662291==--
