Unfortunately we are not using kadmin and do not have the ability to set the "-r" flag in this case. We are trying to create test programs in perl and python that test the KDC functionality so that when we upgrade we can test development, test, and production servers all from the same machine rather than having to log in to each admin server for each realm to run our test program.
The perl programs use Authen::Krb5::Admin and the python program uses
python-kadmin to try the tests - both of which use the Kerberos
libraries to implement the "init with keytab" routine to produce an
admin object with which we can manipulate principals, policies, etc.
The keytabs have the appropriate services and hosts defined in them and
we are using a connection "client" in both the perl and python instances of
<admin service>/<host of client>@<realm> (eg:
"my-admin@myh...@myrealm.example.com")
and the keytab which is correctly defined in the krb5.conf file. We are
pretty sure the keytab and krb5.conf file are correct since we get the
proper admin object when the default realm and the test realm are the
same. When the realms DON'T match we are getting an error of
{'errno': 43787566L, 'message': 'GSS-API (or Kerberos) error'}
On 5/1/17 3:17 PM, Tareq Alrashid wrote:
>
>
>> Begin forwarded message:
>>
>> *From: *Greg Hudson <ghud...@mit.edu <mailto:ghud...@mit.edu>>
>> *Subject: **Re: Testing 3 Kerberos realms from same server*
>> *Date: *May 1, 2017 at 2:47:19 PM EDT
>> *To: *Tareq Alrashid <ta...@qerat.com <mailto:ta...@qerat.com>>,
>> kerberos@mit.edu <mailto:kerberos@mit.edu>
>>
>> On 05/01/2017 11:04 AM, Tareq Alrashid wrote:
>> [...]
>>> Code written in Python simply loops through each of the 3 realms,
>>> kinit with the keytab performs a few kadmin operations and either
>>> passes or fails.
>>>
>>> The strange result is that only the realm name set by “default_realm
>>> =“, pass and all others fail! If I manually change value to one of
>>> the other realm names; yep! same corresponding result.
>>
>> Without specifics it's hard to be sure, but my guess would be that you
>> need to use the kadmin -r option.
>>
>> I recently wrote up some documentation text going over the effects of
>> the default_realm setting; you can find it here:
>>
>>
>> http://web.mit.edu/kerberos/krb5-latest/doc/admin/host_config.html#default-realm
>
--
David A. Kovacic
Sr. Technical Lead
Enterprise Systems
University Technology, [U]Tech
Case Western Reserve University
Email:david.kova...@case.edu <3D%22mailto:david.kova...@case.edu%22>
Phone: 216.368.5892
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
