Kerberos authentication using GSSAPI
Fan, Jan-fon
jan-fon.fan at intel.com
Thu May 23 17:22:20 EDT 2019
Hi Simo,
Yes, I can use a Kerberos client script in Python to authenticate successfully.
Below is the result of the Python script in which you can see that I can get the key from KDC after authenticated.
iscca3005:jfan:252: KerberosTicket.py
Got key and prepare for web service call:
'Authorization': 'Negotiate YIINrwYJKoZIhvcSAQICAQBugg2eMIINmqADAgEFoQMCAQ6iBwMFACAAAACjggyrYYIMpzCCDKOgAwIBBaEUGxJBTVIuQ09SUC5JTlRFTC5DT02iNTAzoAMCAQOhLDAqGwRIVFRQGyJzY3ZpbW9weGpkYXBwMDEuYW1yLmNvcnAuaW50ZWwuY29to4IMTTCCDEmgAwIBEqEDAgEmooIMOwSCDDfyasgCujOFR/7sRMFKZT0Qz8gUVnQhAzUAMsodrLKvY6kgNZEz5yI5djUQRqLQPNQ0++yrk9MV2SJRQll7u1AcOXw6/FuPWaon2gyL5Q+eUrFxe7Z9XLd2UNaPjRbOBT+oEeF5nHEtvr575FFZcI4aXPX83DukLksJlVMDXfM10eGlVphw+QWLXXGMeAMB+MoYrRyeiZ2bHsZwsf6GeNu8fnQ6aoX0nmwP3h2OXm5fk6nb5FSRbXP2qpbmGWi4VN2D3LWhOu0EwYIf/Sca1n4ro8USpQYhoMwOMS3/+KZM3HN40Eq6tvQ2uItgAG4obHhPeu3hCFOaFwMfpsvHNAsdco9nnjcmWDoGZ4Em/Mw3mX1LI6zlbiBKx8BXaxiTUUzZXl/nE/uIgVclt2/Jn19DzOiKnSmC+Ovr5Ozf773U1HGFNNhlL+zLQZBxEU6PpT43i9s2y/kxzcERLT+ldC1wASueNhzO3e9s5jpfBGPk/fv8p149r/ahSdQqyFyX9ljH2N1/69sZ6xuLHU3ol7HpwIt0OjEEA7XcM5zLSxK4TncJwN6fMZxXOMoaAP6IDnPzh5MG5yh1MLK1t/zkmz/ZpPDboJQtPhutYRK1waT3nZgV/BDdEvmub+gJGgGNqlfAbXBAylsEJn79FIq+1zt6MNfwQIM11hXGxViZ6E2Ohc9bpC9sUkTR+4vEqJD+tYmHs6e8UapLg7HaeGZ1WTijRck73G3E+8gyvpjiQOsR0bNtRzbYJICMH8f+5T/loJuVse8w59W93QYo/5E3chT+rR//1kwA5NNPhNKgK4w78j/XFGQSL15a40A7aF2VU7r+mvbBsYiOMrEa+oi+28Wr9Ys6ROe4UVk51zPRocVt5GN4uweT8XRLt+VN1bC2+/14AfIBafVsgs0VYJAs4m8MyqHwMsamzD0teltGqqCjK2SNgZi5G69BE4nikmL2RD6aG1FVFnxkHHDM5H1lPWLN/b0GM4S3Fo6OXeT/26TiP6GqIO1z8w2b2FIdILkqRl4GWNUP+l/lq723hyy3Plgpd89v3aF5tXjLxanzQpxPQfK8FQ1rWx2n0Y31S67UScIV0oC1TFk7od9juZ0Vv2WZStekKPLWBMPYmc5HlD/9w626VaxUHiDclR7kr4V9nRXGc/11V5UiiU5x1XXn400ruB8WkKFPCaZT5uETg0GiEjAFhoxrBZTyP4/cwvLGDECsq2Gi9O2h3Yan5EsTyVmCiEpZCoVqw9K7bw8npMgTgYxnx9xO5H/cwXo/OFeirneE9/49c8a2hhzueHi3+7AxSDtwQmIRtrbKC1G5q6o9ZJm3emKbCi3grvlKgcyeSP8CovvFBoWYD0VSUMGQXtTnUEFAh6kGvF9ioqV2AqSBpNkUSdv1Fxy4tNojDGR3ZKjQLAUwFu2Jo1z7RWH+nUmyBOF6aCEfwvaKV6TsOrHIN9Uw3shiqTBc8HHtS/+1Y4/Sjq1hBiGC5zfwEPCHMV1p3opMqdTDeMEWbebo5bAGqNDWh5ocXF167eNSPhXkzFGh3R84g98zwhlOEUiTWL3UF8I1k1fQVs8pZtnrPw9fe03iRLTPG82iYbGFS+WDplMp2lx61e3OT5pStR/bjHJh/Ogk/s6jrIDs0VJNauyda5PNbDMkN9gjU8z7oh1o/pSO0IH6czJwNmU1TyTiEklih7V9aufCanJ6v3BjX9XwYnoHMuXNFJOibvGtSuiMwtm8o+HFp82zFo/PT9Jhuojb4HuXV8tVLp5fIspgXr1RWPlNMtZqP8X0AuPLox7I6CSVXYEbNT6j2juf4Ll9/5Df01GgLOnqGflaVGGwh61f3MRrwDnQxuvJujzG6umw1L45i6KgHYJ6c0qRuIBPD+Ymi24TJ8PT6YrhZtiIlRNK9dU5M5wwTtlhh3dRqikXf6KZabrR3dX4ZSSRMEVpoI49uk3wkmpF3C5R7ed+3XNYwUrdkKoZW1j/2+qvQ/CFEUPA7hNmCwc8+ZmaGRVqe8Up+yYJlmMV3oQQQFDxoaJOmkACjslIir5d5ihI1uqf4AOA49vFfolBI9XXLYW2MSDY5lx6a9o4W1CVHx2UOJAeeEmnhKzizN2d7zDrG/dvut0ERtO6prm18BBJXCAwQ8Oprgk8UKLzb8nLufNNjZFZglcllta9tJHV9CtMTyWdc0oYp5oSZVCQImUYww9TsFGd15Snumx8uMXBXi28Sd8CGQNsNqLoBRsz39FetzX0YRTJupIiLFJw/rynEP4anZARGnLGsab1JJEMEeuxjZthBuOPZiOlR2Fsnh10R4tPuNY1ipRESixDDpqifsoIBaWL2+JUXv+3/3y4G1LzEXoVumpRzC3s5C5ao4J6278TFXz2XP9CePCrZlPcgGelXV8TohWiW5m4pvjo75miDE92Z+mt/NnHMujJesO9b9uuCm4W/TlXF5Nl+Aa4OUN+f4ZtyqnuyIe/Pd4aKT1Gn6Hf1ph6jnzBBKmJhKrKkomgTXf11XwiOByt6dCdQfv6h7xuxAAy+J46OKttQs8tmx4nxPrkie0A8wvYX3pQeucq+Up4Gg6CRnx1Ri4GRuIPFXSK9iUVqCEB3cJnnKE61NJzTeUPMR9ZrdAilGI3PV1uIJa2Unph7PNtkQy72ZAxPRC425ZPSJPy5PUfNinVVTe+bgwbi0g/Oc1WYJkh+E1mbTt9rkd+McWty9Bqnja8x+JRyW2RriSuvWDlfSYjxhJMT3UOmadWR4fGH+kGXlKY1C8MY/7zXqLXvHlTed5TWTJkY/xtp4TzStxq/nhPKfP5Tu+H+KyGXiYmoag5aIm3TiWKXFLxNECqAuHZ2InZjGyD6U+6438vqxmartO7aFQXu7T6dx0yILSMUQYQQbGXfKXwrSKCY9z+ait1T9TbTCHVx8+HNjOZlpKt+7HwdOFcROHWSpIu0yFyaxKoRLVDAWAQavzVV0F+TOv+EppJVlJMouoPJR7FZnhMVszkcavPbZk51k14AjfuwAjEbMQ5LGULA5TEThRvaNvpDHPQk0zl7ZztNDmEPAixl+3z5QNbG8J3HFLamjIC0klBxAji8Lqq7Pgoj2myYGQ9albpJDiVtQFYNmpt608DyRsp+C9fwk8aDLkAjSaaoONcCjb+ipvtr5LY/h8NACCYTymhIQ2DavbnH8OMdJgs1DY58oW0uHTp9YEuffj8BSEzOtqrubqKnakzRKrsmbkEjDgBNMZ29abysDZI0+TO1sOvGeCH1IOcar/hGeZv96baj9xwmfahJ6371cdA0lhA/026ilh3SNcYY5KIYxMNKbEDiwagc5BFa9F2UiVAFKv3FL4oIVy5MtUS9hIN7dtzSsZIra4aLbxneRxFrJpym23QSlvCMUQFqg2pnt8KExaFATWIVBiS0TBEJtr2hYLPP2jiALftf3f0cCEh3ZyMd+QEor/jH1UngAs8eTqk1y0rwCqFqxc+L0wIc2A42xttqj6dSy1a28p8V/FQWkbBzMbftxrGJe2xr0NwtrPJWxT24IaEFTRojFgUfWMJcgaUFy+x44pk7HS8aIZc57pZu9T70W8sqFLMJlmJlUKoYMurD8n1Guva+McomG8vxGzvFWKA8Ya+pAn10KL3RPDgb0hpNJq/KBhy17dySvPIpdSjBHShxBE4wjOqvLr3OnLOor08odzjDhS5Ci+3pFrR13sQs7yamIWZkVL/1tlNLKimybxpeYqaNL6QUR1gjVf5rfCA+8eYmWTzvpQXq97kftNKr6Bd8zXUKbUDkz1ESN9GZ6wwkKL7/a6Pg5SJTP59sBFZYW+QDjOACFXoddJiBivUaEPLEGC2/jNeAXBQuBD524Xqww1KrfVMXVkV950tUyZyE9bGXijbNZeD1/9uulPYxWBEvR/HCCbQsuLqaJIXKNjn1jySTzlXHPRlNxr4nr7fnasqJhrZWLkdtB8kQA428k+7ldFht2UcWTmiEa6UcL4a6n1CRU4IXzjIZ0facjv+j7mw37oCmfTR5rDL84tx/C/5lbQoQfLfZVkmXox/fAQU4jtHjIGc85eH82v/9GMQ8rRo9SkOrHiXkvKfb2GEjJXNG8tKxfO8egg5Xx/4QvEGwlO9wDTA1y0iE8A6OocSDZaQAfkLgWQ7wagfSESfSwPuJsI1U3f4+3kgsUlTxSlddqGlD38Rtcu+pIHVMIHSoAMCARKigcoEgccErTN+cgLl02mlUOjUHjWqACjHHmcJeU3EEhZO3T6iX0Ze1fOruapw0ZZlo729oCjn/P5QPceZ7HjwKr1V56gBTJ9MCy81mZhGB7haNyEJd/2jBV+ndn+klyq87j5yJ/xRTPo7dkcu6dFYpP/bqeZSfkZYjATKSvt+t46Ku1k5sJLr86FSQpeDnL8JpolaYMHiFM2MVDIfqRpipNsdOpSzViKCDW1kP6Cyf3aZpcr1arJAKlAVk8D4XeU31bsRXzoev4IXc0AC'
Thank you.
Jan
-----Original Message-----
From: Simo Sorce [mailto:simo at redhat.com]
Sent: Thursday, May 23, 2019 1:04 PM
To: Fan, Jan-fon <jan-fon.fan at intel.com>; Cyrus-sasl at lists.andrew.cmu.edu
Subject: Re: Kerberos authentication using GSSAPI
Are you able to obtain proper kerberos credentials outside of sasl ?
I would make sure you can manually get that going first.
Simo.
On Thu, 2019-05-23 at 18:47 +0000, Fan, Jan-fon wrote:
> Hi,
> I have been using a Python client script to do the authentication in our Linux environment and it's working properly.
> Now I need to write a C program to do the authentication and I am choosing Cyrus 2.1.27.
> After installation, I ran pluginviewer and it showed:
>
> Installed and properly configured SASL (client side) mechanisms are:
> GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN
> ANONYMOUS Available SASL (client side) mechanisms matching your criteria are:
> GS2-IAKERB GS2-KRB5 GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 PLAIN
> ANONYMOUS
>
> So I think the installation is OK.
>
> But after more than one week of trying, I am not able to make it work. Currently I got "generic failure" error message from the sasl_client_step.
> I will be appreciated if someone can send me a sample client program using GSSAPI mechanism.
> Below is my code:
>
> int result;
> const char *data;
> unsigned len;
> const char *sasl_impl, *sasl_ver;
> sasl_interact_t *interactions = NULL;
> sasl_conn_t *conn;
> const char *chosenmech;
> char buf[2048];
>
> sasl_security_properties_t secprops = {56, 256, 2048,
> SASL_SEC_PASS_CREDENTIALS, NULL, NULL };
>
> sasl_callback_t callbacks[] = {
> { SASL_CB_AUTHNAME, NULL, NULL },
> { SASL_CB_PASS, NULL, NULL },
> { SASL_CB_LIST_END, NULL, NULL }};
>
> result = sasl_client_init(callbacks);
>
> result = sasl_client_new("HTTP", "SCVIMOPXJDAPP01.INTEL.COM", NULL,
> NULL, NULL, callbacks, SASL_SUCCESS_DATA, &conn);
>
> sasl_setprop(conn, SASL_SEC_PROPS, &secprops);
>
> result=sasl_client_start(conn, "GSSAPI", &interactions, &data, &len,
> &chosenmech);
>
> result = sasl_client_step(conn, NULL, NULL, NULL, &data, &len); while
> (result == SASL_CONTINUE) {
> strcpy(buf, data);
> data=NULL;
> result = sasl_client_step(conn, buf, len, NULL, &data,
> &len); }
>
> After the while loop, the result is -1 (generic failure).
>
> Thanks,
> Jan
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
More information about the Cyrus-sasl
mailing list