[37977] in Kerberos
Re: Fwd: Testing 3 Kerberos realms from same server
daemon@ATHENA.MIT.EDU (David A. Kovacic)
Wed May 3 13:36:49 2017
To: Russ Allbery <eagle@eyrie.org>
From: "David A. Kovacic" <david.kovacic@case.edu>
Message-ID: <a8e36b34-7c8f-25a0-74a7-7eb44d67944f@case.edu>
Date: Wed, 3 May 2017 12:22:58 -0400
MIME-Version: 1.0
In-Reply-To: <87pofsi1yb.fsf@hope.eyrie.org>
Cc: Tareq Alrashid <tma@case.edu>, David Kovacic <dak@case.edu>,
kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============4161984769023569811=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============4161984769023569811==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha-256; boundary="------------ms030003030201090408090600"
This is a cryptographically signed message in MIME format.
--------------ms030003030201090408090600
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Many thanks for the pointers regarding this. We are successfully
running cross-realm tests in at least the perl environment. I do not
believe that python has a mechanism to allow the same but will
investigate further on that as time permits.=20
On 5/1/17 7:37 PM, Russ Allbery wrote:
> "David A. Kovacic" <david.kovacic@case.edu> writes:
>
>> Unfortunately we are not using kadmin and do not have the ability to s=
et
>> the "-r" flag in this case. We are trying to create test programs in
>> perl and python that test the KDC functionality so that when we upgrad=
e
>> we can test development, test, and production servers all from the sam=
e
>> machine rather than having to log in to each admin server for each rea=
lm
>> to run our test program.
>> The perl programs use Authen::Krb5::Admin and the python program uses
>> python-kadmin to try the tests - both of which use the Kerberos
>> libraries to implement the "init with keytab" routine to produce an
>> admin object with which we can manipulate principals, policies, etc.
> For Perl, create an Authen::Krb5::Config object, set realm, and pass it=
> into your other kadmin operations as the $krb5_config parameter. See t=
he
> Authen::Krb5::Config documentation. I assume python-kadmin has some
> similar mechanism.
>
>> The keytabs have the appropriate services and hosts defined in them an=
d
>> we are using a connection "client" in both the perl and python instanc=
es
>> of
>> <admin service>/<host of client>@<realm> (eg:
>> "my-admin@myhost@MYREALM.EXAMPLE.COM")
>> and the keytab which is correctly defined in the krb5.conf file. We a=
re
>> pretty sure the keytab and krb5.conf file are correct since we get the=
>> proper admin object when the default realm and the test realm are the
>> same.
> You have to explicitly set the realm in your authentication call if it
> doesn't match the default realm. There's no way that Kerberos can figu=
re
> this out from the keytab since cross-realm authentication is valid in
> Kerberos, so you may well want to be using a key from one realm to
> authenticate to a different realm.
>
--=20
David A. Kovacic
Sr. Technical Lead
Enterprise Systems
University Technology, [U]Tech
Case Western Reserve University
Email:david.kovacic@case.edu <3D%22mailto:david.kovacic@case.edu%22>
Phone: 216.368.5892
--------------ms030003030201090408090600
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CpUwggTqMIID0qADAgECAhAnmj8Jxq/Gka/a6jcb76ZvMA0GCSqGSIb3DQEBBQUAMIGuMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYD
VQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRy
dXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24g
YW5kIEVtYWlsMB4XDTExMDIxMTAwMDAwMFoXDTIwMDUzMDEwNDgzOFowZDELMAkGA1UEBhMC
VVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xLjAsBgNVBAMTJUlu
Q29tbW9uIFN0YW5kYXJkIEFzc3VyYW5jZSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDT4BUCe/l2gun+kZbz8B4haLUNYTC+CZdm3R0jp/sfhng65pdqx8Gk
f4lNs55ZszgLHzkiawIoEr8pltE19JUqbAaYHBlkXKZ+RW4ga5G4dA88U8iDGWsRo8cshQUe
h9TLoAgFBi5miT14p4OTVLfYF+rT7n1m1DTeicoZ/TfK0IPeUWjYWvV0692CAlr6IM6qz0Ar
08iehemBM5vW8U+RRdmNMykcXQeahen/yRKyTAxCKu0w9NfcmbXPC4Dqed6nI2KftemWotay
GkXQ2BMdknn0hIE9thWP7m8sGsbsXayTjwtHTTo7CdXeBiI6EZWQb057H3IuJ5EzPohXwr8J
AgMBAAGjggFLMIIBRzAfBgNVHSMEGDAWgBSJgmd9xJ0mcABLtFBIfN49rgRufTAdBgNVHQ4E
FgQU6Ne9lqrd0AjvoTOeXlmYPBK3m5EwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYB
Af8CAQAwEQYDVR0gBAowCDAGBgRVHSAAMFgGA1UdHwRRME8wTaBLoEmGR2h0dHA6Ly9jcmwu
dXNlcnRydXN0LmNvbS9VVE4tVVNFUkZpcnN0LUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kRW1h
aWwuY3JsMHQGCCsGAQUFBwEBBGgwZjA9BggrBgEFBQcwAoYxaHR0cDovL2NydC51c2VydHJ1
c3QuY29tL1VUTkFkZFRydXN0Q2xpZW50X0NBLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29j
c3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQUFAAOCAQEADu224DifOmiiAcHwhOUm7vyB
0teMyRskQ6DJsYXmn+TgKtFE3vKgcK2IGChIlhMSR0n5yjmjV9fNU4VNt/cvH9mrU3ppB07I
Qr/i7F47e/Q+sqRJlpEWe/lPal5CcjHR00OhOQWJPsu10ek+EcaEdc41v/Ut6KKr9aQBTnAc
JmWrFsO9MuYpEC9rarJI1nAGBvUo6FR+zBDFaa4R6QXrOzjBYlrQHhjpXE1T+PUq4d2SNYT6
JY8fxyNZGviiJaVWYuLeOKzU3zNXYgE4KlEqO0y5R7Bx6ckhwWGO0mOtukkrIgCsNjUQSA5e
wewdsdtiXpMD6uVQSO9RqyGK+2DFwjCCBaMwggSLoAMCAQICEGGzNn9dTGYih9fqCSfAGtEw
DQYJKoZIhvcNAQEFBQAwZDELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8G
A1UECxMISW5Db21tb24xLjAsBgNVBAMTJUluQ29tbW9uIFN0YW5kYXJkIEFzc3VyYW5jZSBD
bGllbnQgQ0EwHhcNMTYwNzA3MDAwMDAwWhcNMTcwNzA3MjM1OTU5WjCBzzETMBEGA1UEERMK
NDQxMDYtNzAxOTEoMCYGA1UEChMfQ2FzZSBXZXN0ZXJuIFJlc2VydmUgVW5pdmVyc2l0eTEc
MBoGA1UECRMTMTA5MDAgRXVjbGlkIEF2ZW51ZTELMAkGA1UECBMCT0gxEjAQBgNVBAcTCUNs
ZXZlbGFuZDELMAkGA1UEBhMCVVMxGzAZBgNVBAMTEkRhdmlkIEFsYW4gS292YWNpYzElMCMG
CSqGSIb3DQEJARYWZGF2aWQua292YWNpY0BjYXNlLmVkdTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAK9ZIhzry3AgFGJ85juiDZONE69AnzKGEkzWe+6SMk2GOvavxbr1GIzs
lq6W+HFjYFAWmjYhM9t5WCbw3wllYCMAgeG36TXO5OVYo7wySwlVs1GY/Pub76IbOUbUoXEb
/F04OdK0EwQJMnTjY818Bg7iuSNdag1u3Lz7X5X1o97EL8CRSlZiSMdoJ+SrcpsoMweYBrY0
O3hVpmCOixOsv1uo4dV7BktBy+I65u6XbsaqcNOvpyNh/yNqNtzkEcIq23XGhGift+MdhLqz
dY56naVZxSUNe7v4v8cvjBWN/N64bKVuMA3WTcMLD+8M7yFnupasV9Rgn+3SoUguzLlUj+sC
AwEAAaOCAeMwggHfMB8GA1UdIwQYMBaAFOjXvZaq3dAI76Eznl5ZmDwSt5uRMB0GA1UdDgQW
BBS4/6PIRFrtfLp+CB+uuTcyYhPrfDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAd
BgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwagYDVR0gBGMwYTBfBg0rBgEEAa4jAQQD
AwABME4wTAYIKwYBBQUHAgEWQGh0dHBzOi8vd3d3LmluY29tbW9uLm9yZy9jZXJ0L3JlcG9z
aXRvcnkvY3BzX3N0YW5kYXJkX2NsaWVudC5wZGYwTgYDVR0fBEcwRTBDoEGgP4Y9aHR0cDov
L2NybC5pbmNvbW1vbi5vcmcvSW5Db21tb25TdGFuZGFyZEFzc3VyYW5jZUNsaWVudENBLmNy
bDCBgAYIKwYBBQUHAQEEdDByMEoGCCsGAQUFBzAChj5odHRwOi8vY2VydC5pbmNvbW1vbi5v
cmcvSW5Db21tb25TdGFuZGFyZEFzc3VyYW5jZUNsaWVudENBLmNydDAkBggrBgEFBQcwAYYY
aHR0cDovL29jc3AuaW5jb21tb24ub3JnMCEGA1UdEQQaMBiBFmRhdmlkLmtvdmFjaWNAY2Fz
ZS5lZHUwDQYJKoZIhvcNAQEFBQADggEBACMBU1mLW15ykSQe/7MzQUOCsILYxeJ4ICyYAMAK
TvgxreOqopmAOLRKsnMaF1Mjw1OYPi+ERD99UALSaCDWq9+Ff5W3YR4lmSjtK/ozuO1wkxk8
rUmPtXSYokK9Ujh1LdD+10vdGz4rp05HS0aMkgURR5Bqnesq/sqXRzPx/Qj/rkGYPDUNPa97
8oorVH3G/0wOtB1OaC/IZbJfJd62mBaJYZNHQAGi+GST12cyxKfQJkm3X6Xv2LyX7EvL8TtP
gMWVEpZkzdhv9GpFFy3i3u9d8aaK0CHfXLDrJ2B4p24yoNIsBOzVP9ScNkW2/ofA+EQaC2Be
G0Y4kaNDOsu67bsxggOUMIIDkAIBATB4MGQxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRl
cm5ldDIxETAPBgNVBAsTCEluQ29tbW9uMS4wLAYDVQQDEyVJbkNvbW1vbiBTdGFuZGFyZCBB
c3N1cmFuY2UgQ2xpZW50IENBAhBhszZ/XUxmIofX6gknwBrRMA0GCWCGSAFlAwQCAQUAoIIB
7TAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA1MDMxNjIy
NThaMC8GCSqGSIb3DQEJBDEiBCCw4bI9qAwm7JmtGU75uXSQfcoT7hOLMLl8RxdG5CnXHjBs
BgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcw
DgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEo
MIGHBgkrBgEEAYI3EAQxejB4MGQxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJbnRlcm5ldDIx
ETAPBgNVBAsTCEluQ29tbW9uMS4wLAYDVQQDEyVJbkNvbW1vbiBTdGFuZGFyZCBBc3N1cmFu
Y2UgQ2xpZW50IENBAhBhszZ/XUxmIofX6gknwBrRMIGJBgsqhkiG9w0BCRACCzF6oHgwZDEL
MAkGA1UEBhMCVVMxEjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xLjAs
BgNVBAMTJUluQ29tbW9uIFN0YW5kYXJkIEFzc3VyYW5jZSBDbGllbnQgQ0ECEGGzNn9dTGYi
h9fqCSfAGtEwDQYJKoZIhvcNAQEBBQAEggEAEN4WUMKGn82oG/biXcDmsEavThQKAjUncFZ5
CbaZ8AN+rfgu7EcP8CvrAmEa8spmtZ16J/jDhWXD1rTFOjAcxMqccypA7U5qZauvbRARxUOl
VEhaYyO+5YMlAQYWaYewiGAgzXWE0SbCoeFmlGfL3nHsHoLffNCvvxrXh0a65mm+W2XoEG2K
wFCUPEchsDulF8jjz6O3zymVqVgYuZSlxZKII9L50ZRKbmE50fHZ/J0qXa11ct0KQfUBafbH
tV5F1u8NSfnv4Xz9jZTIrlrltcfjm29/ls/R1MmtMJ6qzxHfAOAg1I9EaW3z+khrdmbfkIc3
PjtxIgoYOQ+FJG4p1gAAAAAAAA==
--------------ms030003030201090408090600--
--===============4161984769023569811==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============4161984769023569811==--
