"gss_import_name()" and "default_realm"

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

"gss_import_name()" and "default_realm"

Kevin

Hi everybody,

First of all, I would like to tell you that I'm French, and I apologize for my speaking.

So, here is the actual configuration of my network :
- One KDC on "TESTING.TR" domain (Debian-8.3.0)
- One client to that domain (Debian-8.3.0),
- An other KDC on "KERBEROS.KR" domain (Debian-8.3.0),
- An other client to that second domain (Debian-8.3.0),
- And a last Debian-8.3.0 machine on which a Python script based on HTTPServer run with the "python-kerberos" library.

All is working fine, when I use a client to reach the python script, it let me access the "/index.html" page if I have a TGT.
The difference between the hosts's domains is made by "/etc/hosts" files.

Then, to contact the appropriate KDC depending on which client is requesting the python script, I use a keytab with the 2 following services on it :
    - HTTP/webapp.testing.tr@TESTING.TR
    - HTTP/webapp.kerberos.kr@KERBEROS.KR

So in my script, I specified the two services by :
    - HTTP@webapp.testing.tr
    - HTTP@webapp.kerberos.kr

Again, All is working fine ! (On Debian....)

Indeed, when I try to use that script on a FreeBSD 10.1, I meet the following problem :

I have to specify the "default_realm" in the /etc/krb5.conf, if not the "authGSSServerInit("HTTP@bsd."+realm)" method can't initialise the kerberos context with the keytab. I am persuaded that the "gss_import_name()" function failed to put "@KERBEROS.KR" or "@TESTING.TR" according to the service "bsd.testing.tr" or "bsd.kerberos.kr".

So I would like to know how to set the service without setting the "default_realm" in /etc/krb5.conf.

In Debian-8.3.0 I don't have this problem, the "default_realm" is not specified and all is working fine..

Any help would be very appreciated, I have read the python-kerberos and libkrb5-1.4 source code but I can't find any solution to my problem, apparently it is the  "gss_import_name()" function that cause problem.

I can past the content of my configuration files if you want.

Thank you for any help !

Kevin







Reply | Threaded
Open this post in threaded view
|

Re: "gss_import_name()" and "default_realm"

Greg Hudson
On 03/22/2016 05:17 PM, Kevin wrote:
> Again, All is working fine ! (On Debian....)
>
> Indeed, when I try to use that script on a FreeBSD 10.1, I meet the
> following problem :

This probably isn't the best list to ask.  [hidden email] is for
discussion about the development of MIT krb5, whereas this question
appears to be a user question about Heimdal (assuming you are using the
native Kerberos binaries on FreeBSD).  [hidden email] is
appropriate for questions about Heimdal.  Alternatively,
[hidden email] is appropriate for questions about any Kerberos
implementation.  For simplicity, I will try to answer here anyway.

For the FreeBSD machine, you might find it sufficient to add
[domain_realm] directives to krb5.conf like so:

  [domain_realm]
    .testing.tr = TESTING.TR
    .kerberos.tr = KERBEROS.TR

Another option is to change your Python script to pass an empty string
("") to authGSSServerInit().  That should allow the server to receive
authentications to any service in the keytab--although you may need to
check which one the client authenticated to using authGSSServerTargetName().
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev