[38190] in Kerberos
RE: Different realms
daemon@ATHENA.MIT.EDU (Robbie Harwood)
Sun Jan 28 04:31:11 2018
From: Robbie Harwood <rharwood@redhat.com>
To: Imanuel Greenfeld <imanuel.greenfeld1@ntlworld.com>, kerberos@mit.edu
In-Reply-To: <004301d396ed$734cb9a0$59e62ce0$@ntlworld.com>
Date: Sun, 28 Jan 2018 10:30:39 +0100
Message-ID: <jlg1sianxds.fsf@redhat.com>
MIME-Version: 1.0
Cc: "'Simo Sorce'" <simo@redhat.com>
Content-Type: multipart/mixed; boundary="===============0807762277072476591=="
Errors-To: kerberos-bounces@mit.edu
--===============0807762277072476591==
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha512; protocol="application/pgp-signature"
--=-=-=
Content-Type: text/plain
"Imanuel Greenfeld" <imanuel.greenfeld1@ntlworld.com> writes:
> Robbie Harwood <rharwood@redhat.com> writes:
>> "Imanuel Greenfeld" <imanuel.greenfeld1@ntlworld.com> writes:
>>
>>> I have 2 domains which there is no trust between them.
>>
>> Do you have two realms (A and B), with two machines (machine_a in A,
>> and machine_b in B), and two services (service_a on machine_a, and
>> service_b on machine_b)?
>
> Yes
>
>> I'm not overly familiar with the Java bindings, but this isn't
>> something one really wants to be doing in Kerberos.
>
> So how can I pass the Kerberos authentication is there is no trust
> between the realms ?
Without a trust, service_a has no way to *prove* to service_b the
identity of the user who is connecting to service_a.
Now, depending on what you're doing, this may not matter - maybe
whatever service_b is doing doesn't care about that. If that's the
case, then service_a just needs a credential to authenticate against
service_b with. (This will come from realm B.)
For making Kerberized HTTP requests, the best approach is, as Simo says,
to use something like mod_auth_gssapi on the server. You're in Java,
not Python, on the client, so you won't be able to use requests-gssapi;
I'm not sure if there is a SPNEGO module for Java.
You can, however, look at how the token is generated by requests-gssapi
and make similar GSSAPI calls from Java - the function is
generate_request_header()
https://github.com/pythongssapi/requests-gssapi/blob/master/requests_gssapi/gssapi_.py#L139-L150
https://github.com/pythongssapi/requests-gssapi/blob/master/requests_gssapi/gssapi_.py#L63
>> What is the actual, higher level thing you are trying to accomplish?
>
> As explained, I'm sending HTTP rest JSON request from machine_a to
> machine_b endpoint but I'm getting Unauthorised 401 error, so I'm
> trying to incorporate into the HTTP JSON request the keytab which is
> on machine_a to pass the authentication.
Let me ask a different way. Why are you doing this at all?
On another note: your email replies are very difficult to read. At the
very least, please use blank lines to separate your replies from the
text you are replying to, and make your quoting levels work correctly.
Thanks,
--Robbie
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAlptmD8ACgkQJTL5F2qV
pEK0xg//XJkaRRlUifEclt42dz2quZTN4hEyDBIbW+6dMg9Wq1BYvVwsiFdI2N1f
xKAmWW2KH8K4lx07rf/3jF9CcMS/HRPGgpE5JcF1jL7vEWmWXEXHWRbEn759qLkS
JDT/rm1hiQGzsXiS4LFcGffIh1v7CelU5Me9ylsiJmZr+B8gx+81G/RY69B8FZK6
6U88fjyQt53U+bi8FPMjy4nEU3GBC6/dONp6corTS7aUdws3hNoJ0lOeGUDRICxN
ysFwgEipCGe7VWDcs4ekaKes2CCTKKDYi/5kxEIjLsbvy2gw2p336UJ/xd+8nFC+
ivZ+seN45BtZXl5YLlMP/zIyIs6zgXzEflztu6ZdcHy8btd3gRad37j8El9XjaGP
0pbrR8aGX2AJDZTOKxKBTMS2cm3anBQdw3TlOjvYZ5Om5rN6A8JclKB7GG3xuQDS
7dj8V/r3Pcdv4LdmOgsXto4k8udy+1oX265r8Fci0FYpLdG7aL/sMhostYRak0dc
mYCL5ux+0qQVi5tRNMATHlF2c3hoB37hxb9MNk2uSSnUrz+fc9GRbOAcpH5Xs4H1
FfQAq1KcqwkKvnyY60NL1VRF4Olhd1/YN/0ytBgnrX4zzdbFjrfjFTc0bfI1TAVt
mfowjqZ2avhiIJ9QbJp8C3ysCZZrAVaXeIgZHbpcfMb2NsnWORI=
=pe6s
-----END PGP SIGNATURE-----
--=-=-=--
--===============0807762277072476591==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0807762277072476591==--
