First of all, I would like to tell you that I'm French, and I apologize for my speaking.
So, here is the actual configuration of my network :
- One KDC on "TESTING.TR" domain (Debian-8.3.0)
- One client to that domain (Debian-8.3.0),
- An other KDC on "KERBEROS.KR" domain (Debian-8.3.0),
- An other client to that second domain (Debian-8.3.0),
- And a last Debian-8.3.0 machine on which a Python script based on HTTPServer run with the "python-kerberos" library.
All is working fine, when I use a client to reach the python script, it let me access the "/index.html" page if I have a TGT.
The difference between the hosts's domains is made by "/etc/hosts" files.
Then, to contact the appropriate KDC depending on which client is requesting the python script, I use a keytab with the 2 following services on it :
So in my script, I specified the two services by :
Again, All is working fine ! (On Debian....)
Indeed, when I try to use that script on a FreeBSD 10.1, I meet the following problem :
I have to specify the "default_realm" in the /etc/krb5.conf, if not the "authGSSServerInit("HTTP@bsd."+realm)" method can't initialise the kerberos context with the keytab. I am persuaded that the "gss_import_name()" function failed to put "@KERBEROS.KR" or "@TESTING.TR" according to the service "bsd.testing.tr" or "bsd.kerberos.kr".
So I would like to know how to set the service without setting the "default_realm" in /etc/krb5.conf.
In Debian-8.3.0 I don't have this problem, the "default_realm" is not specified and all is working fine..
Any help would be very appreciated, I have read the python-kerberos and libkrb5-1.4 source code but I can't find any solution to my problem, apparently it is the "gss_import_name()" function that cause problem.
I can past the content of my configuration files if you want.
On 03/22/2016 05:17 PM, Kevin wrote:
> Again, All is working fine ! (On Debian....)
> Indeed, when I try to use that script on a FreeBSD 10.1, I meet the
> following problem :
This probably isn't the best list to ask. [hidden email] is for
discussion about the development of MIT krb5, whereas this question
appears to be a user question about Heimdal (assuming you are using the
native Kerberos binaries on FreeBSD). [hidden email] is
appropriate for questions about Heimdal. Alternatively,
[hidden email] is appropriate for questions about any Kerberos
implementation. For simplicity, I will try to answer here anyway.
For the FreeBSD machine, you might find it sufficient to add
[domain_realm] directives to krb5.conf like so:
Another option is to change your Python script to pass an empty string
("") to authGSSServerInit(). That should allow the server to receive
authentications to any service in the keytab--although you may need to
check which one the client authenticated to using authGSSServerTargetName().
krbdev mailing list [hidden email] https://mailman.mit.edu/mailman/listinfo/krbdev