I am trying to run a code that verifies an Authorization token from the client. I wrote this code inside an function:
host = 'site_address'
state = None
service_name = f'HTTP@{host}'
try:
rc, state = kerberos.authGSSServerInit(service_name)
if rc != kerberos.AUTH_GSS_COMPLETE:
return None
rc = kerberos.authGSSServerStep(state, token) <<<<< !!! ERROR !!!
if rc == kerberos.AUTH_GSS_COMPLETE:
self.kerberos_token = kerberos.authGSSServerResponse(state)
self.kerberos_user = kerberos.authGSSServerUserName(state)
return rc
elif rc == kerberos.AUTH_GSS_CONTINUE:
return kerberos.AUTH_GSS_CONTINUE
else:
return None
except kerberos.GSSError as error:
LOGGER.error('Failed to perform the token verification due to %s', error)
return None
finally:
if state:
kerberos.authGSSServerClean(state)
But the code fails at rc = kerberos.authGSSServerStep(state, token) (Marked the line in the code) with this error:
GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Request ticket server HTTP/<site_address>@<realm_name> kvno 4 found in keytab but not with enctype rc4-hmac', 100005))
Also thrown this error to the screen:
[3302] 1547638447.877515: Failed to decrypt AP-REQ ticket: -1765328340/Request ticket server HTTP/base.testing.gc@TESTING.GC kvno 4 found in keytab but not with enctype rc4-hmac
My question is: why do I receive this message? My user that is configures in the Active Directory is marked with the This account supports Kerberos AES 256 bit encryption enabled and the keytab file created with the /crypto AES256-SHA1 enctype.
Why is my server (docker on ubuntu machine- Ubuntu 18.04) is trying to dcrypt this with rc4-hmac enctype? How to I fix it?
Edit Maybe my question should be: who tells me in which enctype should I read the keytab?
