Uncaught exception trying to obtain pre-existing credentials with Keytab Auth

[bendemott]

The code near line 156 in context.py attempts to get existing credentials before it creates a temporary credentials cache for keytab auth.

creds = gssapi.creds.Credentials(**creds_opts)

The above line triggers the following error:

File "/usr/local/lib/python3.7/dist-packages/krbcontext-0.10-py3.7.egg/krbcontext/context.py", line 156, in init_with_keytab
  File "/usr/local/lib/python3.7/dist-packages/gssapi-1.6.12-py3.7-linux-x86_64.egg/gssapi/creds.py", line 64, in __new__
    store=store)
  File "/usr/local/lib/python3.7/dist-packages/gssapi-1.6.12-py3.7-linux-x86_64.egg/gssapi/creds.py", line 148, in acquire
    usage)
  File "gssapi/raw/ext_cred_store.pyx", line 186, in gssapi.raw.ext_cred_store.acquire_cred_from
gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (39756032): Principal in credential cache does not match desired name

You can recreate this error by simply:

• kinit user1
• Use krbContext to authenticate as user2 with user2.keytab. Passing the principal=user2

This error occurs because when gssapi looks into the existing cache with a credential of user and cannot find user2. There just needs to be a try/catch around this line to resolve the issue.

[tkdchen]

Hi @bendemott

After rethinking of this issue, IMO, this error should be an actual problem you should have to handle. That means, krbContext should not overwrite an existing credential which has a valid ticket with different principal. This could avoid any potential problem due to the change to the credential by accident.