#184 Fix service name used for krb.
Closed 2 years ago by ralph. Opened 2 years ago by ralph.
ralph/waiverdb service-name  into  master

file modified
+4 -4
@@ -16,7 +16,7 @@ 


          hostname = gethostname()


-     service_name = gssapi.Name("HTTP@%s" % hostname,

+     service_name = gssapi.Name("HTTP/%s" % hostname,



@@ -41,9 +41,9 @@ 

          user = str(sc.initiator_name)

          return user, token

      except gssapi.exceptions.GSSError as e:

-         current_app.logger.error(

-             'Unable to authenticate: failed to %s: %s' %

-             (stage, e.gen_message()))

+         current_app.logger.exception(

+             'Unable to authenticate (%s): failed to %s: %s' %

+             (hostname, stage, e.gen_message()))

          raise Forbidden("Authentication failed")



no initial comment

FWIW, it doesn't seem to work quite yet. See the traceback in the elsewhere tls-and-kerberos PR on our openshift templates.

Okay so it seems like GSSAPI names are not the same as Kerberos names. Who knew.


The docs are bit obtuse about how exactly you can construct just a normal Kerberos principal name. This is what I found:

>>> gssapi.Name('HTTP', gssapi.NameType.hostbased_service).canonicalize(gssapi.MechType.kerberos)
Name(b'HTTP/galangal.usersys.redhat.com@REDHAT.COM', <OID 1.2.840.113554.>)
>>> gssapi.Name('HTTP@waiverdb.asdf', gssapi.NameType.hostbased_service).canonicalize(gssapi.MechType.kerberos)
Name(b'HTTP/waiverdb.asdf@', <OID 1.2.840.113554.>)
>>> gssapi.Name('HTTP/waiverdb.asdf').canonicalize(gssapi.MechType.kerberos)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.6/site-packages/gssapi/names.py", line 231, in canonicalize
    return type(self)(rname.canonicalize_name(self, mech))
  File "gssapi/raw/names.pyx", line 286, in gssapi.raw.names.canonicalize_name
gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2529639136): Configuration file does not specify default realm
>>> gssapi.Name('HTTP/waiverdb.asdf@REDHAT.COM').canonicalize(gssapi.MechType.kerberos)
Name(b'HTTP/waiverdb.asdf@REDHAT.COM', <OID 1.2.840.113554.>)

So, still not sure what the right thing here is...

FYI, @rharwood is having a look. :)

Pull-Request has been closed by ralph

2 years ago