Closed neirbowj closed 6 years ago
That klist output looks like it's from MIT krb5. Did you call kinit to get the TGT? If so, WinKerberos uses Microsoft's SSPI, which does not use krb5. If you need to specify credentials for a specific user, you do so using the principal parameter to authGSSClientInit. Call help(winkerberos) in the python interactive shell for full details.
I obtained the krbtgt via the MIT Kerberos UI (kinit equivalent?). My goal is to a) not have to specify the client principal, but to allow the library to select the best available, and b) to work with an SPN and CPN neither of which are part of a WIndows AD. Is there a way to do that with WinKerberos, with or without MIT krb5? An SSPI equivalent of kinit?
If it isn't abundantly clear, I am a relative Windows n00b, so I appreciate any hand-holding you are willing to do.
As I said, WinKerberos is built on top of Microsoft's Security Support Provider Interface (SSPI), not MIT krb5. SSPI doesn't support a credentials cache like krb5, and doesn't have any equivalent to krb5's kinit program. To use a different principal than the Windows logon user you have to pass the credentials using the principal argument.
Note that, though WinKerberos is written using SSPI, it fully supports authenticating to a krb5 KDC and authenticating to a service that uses krb5. It also supports almost all of the client side features of PyKerberos. How multiple user credentials are handled is one major structural difference between SSPI and krb5 that I can't hide or workaround.
Understood. Thank you for taking the time to elaborate.
Can I connect to 3th party KDC using winkerberos ? Since it's not relying MIT Kerberos I cannot use krb5.conf to specify the location of the KDC. How can I do it?
Yes. I test WinKerberos against a krb5 kdc, not active directory. For my test environment I configure the KDC by editing the registry. You have to add a new entry under HKLM\SYSTEM\ControlSet001\Control\Lsa\Kerberos\Domains\<your domain>
with a Multi-String Value called "KdcNames" containing the hostname of the KDC.
There may be some way to do this without directly editing the registry, but I'm not enough of an expert on Windows domain management to know how to do it.
authGSSClientStep
raises aGSSError
exception with this message: "SSPI: InitializeSecurityContext: No credentials are available in the security package" despite my having a krbtgt in the credential cache as shown in this lightly anonymized terminal snippet.My environment is Windows 10 Pro 10.0.16299, with Python 3.6.6 (32-bit; also reproducible on 2.7.15), MIT Kerberos for Windows 4.1 (32-bit), and winkerberos 0.7.0.