Many thanks for the pointers regarding this. We are successfully running cross-realm tests in at least the perl environment. I do not believe that python has a mechanism to allow the same but will investigate further on that as time permits.
On 5/1/17 7:37 PM, Russ Allbery wrote: > "David A. Kovacic" <david.kova...@case.edu> writes: > >> Unfortunately we are not using kadmin and do not have the ability to set >> the "-r" flag in this case. We are trying to create test programs in >> perl and python that test the KDC functionality so that when we upgrade >> we can test development, test, and production servers all from the same >> machine rather than having to log in to each admin server for each realm >> to run our test program. >> The perl programs use Authen::Krb5::Admin and the python program uses >> python-kadmin to try the tests - both of which use the Kerberos >> libraries to implement the "init with keytab" routine to produce an >> admin object with which we can manipulate principals, policies, etc. > For Perl, create an Authen::Krb5::Config object, set realm, and pass it > into your other kadmin operations as the $krb5_config parameter. See the > Authen::Krb5::Config documentation. I assume python-kadmin has some > similar mechanism. > >> The keytabs have the appropriate services and hosts defined in them and >> we are using a connection "client" in both the perl and python instances >> of >> <admin service>/<host of client>@<realm> (eg: >> "my-admin@myh...@myrealm.example.com") >> and the keytab which is correctly defined in the krb5.conf file. We are >> pretty sure the keytab and krb5.conf file are correct since we get the >> proper admin object when the default realm and the test realm are the >> same. > You have to explicitly set the realm in your authentication call if it > doesn't match the default realm. There's no way that Kerberos can figure > this out from the keytab since cross-realm authentication is valid in > Kerberos, so you may well want to be using a key from one realm to > authenticate to a different realm. > -- David A. Kovacic Sr. Technical Lead Enterprise Systems University Technology, [U]Tech Case Western Reserve University Email:david.kova...@case.edu <3D%22mailto:david.kova...@case.edu%22> Phone: 216.368.5892
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
