Why I'm getting 'No credentials cache found' on SSO using pyKerberos (authGSSClientStep)?

Question

I use SLES11 with a Python2.6 and Apache Web-Application. I have a Active Directory Server with Kerberos and I want to use SSO with my Application.

I already created a service principal HTTP/host.example.org in domain EXAMPLE.ORG. This user is mapped to a dummy user app.dmy@EXAMPLE.ORG.

Kerberos works fine on Linux client and i can init the service principal

kinit -s HTTP/host.example.org app.dmy@EXAMPLE.ORG

klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: app.dmy@EXAMPLE.ORG

Valid starting     Expires            Service principal
09/28/15 14:27:27  09/28/15 14:37:27  HTTP/host.example.org@EXAMPLE.ORG


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

my /etc/krb5.conf looks like:

  1 [libdefaults]
  2         ticket_lifetime = 600
  3         default_realm = EXAMPLE.ORG
  4         kdc_req_checksum_type = 2
  5         checksum_type = 2
  6         ccache_type = 1
  7         clockskew = 300
  8
  9 [kdc]
 10         profile = /var/lib/kerberos/krb5kdc/kdc.conf
 11
 12 [logging]
 13         kdc = FILE:/var/log/krb5/kdc.log
 14         admin_server = FILE:/var/log/krb5/adm.log
 15         default = FILE:/var/log/krb5/log.log
 16
 17 [realms]
 18 EXAMPLE.ORG = {
 19         kdc = adserver.example.org:88
 20         admin_server = adserver.example.org:749
 21         default_domain = EXAMPLE.ORG
 22 }
 23
 24 [domain_realm]
 25         example.org = EXAMPLE.ORG
 26         .example.org = EXAMPLE.ORG
 27
 28 [login]
 29         krb4_convert = 0

 30 [appdefaults]
 31         pam = {
 32                 ticket_lifetime = 1d
 33                 renew_lifetime = 1d
 34                 forwardable = true
 35                 proxiable = false
 36                 minimum_uid = 1
 37                 clockskew = 300
 38                 external = sshd
 39                 use_shmem = sshd
 40         }

If i use authentication via apache and mod_auth_kerb SSO works fine. But i want to have more control about the connection so disabled apache authentification and wrote my own module in python (cherrypy framework).

I installed pyKerberos (Kerberos1.2.2 dosn't work and python crash with segmentation fault).

Here my python code:

import kerberos
import base64

service = 'HTTP'
hostname = 'host.example.org'
# env.log(kerberos.checkPassword('app.dmy', 'xxx', service, 'EXAMPLE.ORG')
''' for testing works fine '''
spn = kerberos.getServerPrincipalDetails(service, hostname)
''' result service principla from keytab 
    HTTP/host.example.org@EXAMPLE.ORG'''
status, _ctxt = kerberos.authGSSClientInit(spn)
''' status = 1, _ctxt = context object '''
kerberos.authGSSClientStep(_ctxt, base64.b64encode(""))

I get following result in logs:

(('Unspecified GSS failure.  Minor code may provide more information', 851968), ('No credentials cache found', -1765328189))

The cache file exist in tmp and the spn is registed with kinit.

score 0 · Answer 1 · answered Oct 01 '15 at 08:25

You're calling the wrong routines. This is the server side: the GSSAPI acceptor, the one authenticating the HTTP client. You need to call authGSSServer{Init,Step}; in terms of actual GSSAPI calls being made, gss_accept_sec_context(). You are calling gss_init_sec_context() instead, which complains that there are no credentials available in the form of a TGT in the default ccache that it can use to get a ticket for the server. Servers in Kerberos do not need the same sort of credential; instead, they have a keytab with their long-term keys, and do not need to contact a KDC in order to authenticate clients.

Why I'm getting 'No credentials cache found' on SSO using pyKerberos (authGSSClientStep)?

1 Answers1