pythongssapi / python-gssapi

A Python interface to RFC 2743/2744 (plus common extensions)
ISC License
104 stars 46 forks source link

AWS EC2 Kerberos incorrect real_name for krbtgt #336

Closed sangetang closed 9 months ago

sangetang commented 10 months ago

What went wrong?

image Traceback (most recent call last): File "/home/miniconda3/envs/superset/lib/python3.9/site-packages/requestskerberos/kerberos.py", line 227, in generate_request_header gss_response = ctx.step(in_token=negotiate_resp_value) File "/home/miniconda3/envs/superset/lib/python3.9/site-packages/spnego/context.py", line 71, in wrapper raise SpnegoError(base_error=native_err, context_msg=context) from native_err spnego.exceptions.SpnegoError: SpnegoError (4294967295): Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638919): Server krbtgt/EC2.INTERNAL@US.COTTICOFFEE.GLOBAL not found in Kerberos database, Context: Processing security token 2023-12-11 06:34:44,812:ERROR:requests_kerberos.kerberos:SpnegoError (4294967295): Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638919): Server krbtgt/EC2.INTERNAL@US.COTTICOFFEE.GLOBAL not found in Kerberos database, Context: Processing security token Traceback (most recent call last): File "/home/miniconda3/envs/superset/lib/python3.9/site-packages/spnego/_context.py", line 68, in wrapper return func(*args, kwargs) File "/home/miniconda3/envs/superset/lib/python3.9/site-packages/spnego/_gss.py", line 431, in step out_token = self._context.step(in_token) File "/home/miniconda3/envs/superset/lib/python3.9/site-packages/decorator.py", line 232, in fun return caller(func, *(extras + args), *kw) File "/home/miniconda3/envs/superset/lib/python3.9/site-packages/gssapi/_utils.py", line 165, in check_last_err return func(self, args, kwargs) File "/home/miniconda3/envs/superset/lib/python3.9/site-packages/decorator.py", line 232, in fun return caller(func, *(extras + args), *kw) File "/home/miniconda3/envs/superset/lib/python3.9/site-packages/gssapi/_utils.py", line 131, in catch_and_return_token return func(self, args, **kwargs) File "/home/miniconda3/envs/superset/lib/python3.9/site-packages/gssapi/sec_contexts.py", line 584, in step return self._initiator_step(token=token) File "/home/miniconda3/envs/superset/lib/python3.9/site-packages/gssapi/sec_contexts.py", line 606, in _initiator_step res = rsec_contexts.init_sec_context(self._target_name, self._creds, File "gssapi/raw/sec_contexts.pyx", line 188, in gssapi.raw.sec_contexts.init_sec_context gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638919): Server krbtgt/EC2.INTERNAL@US.COTTICOFFEE.GLOBAL not found in Kerberos database

The above exception was the direct cause of the following exception:

Traceback (most recent call last): File "/home/miniconda3/envs/superset/lib/python3.9/site-packages/requestskerberos/kerberos.py", line 227, in generate_request_header gss_response = ctx.step(in_token=negotiate_resp_value) File "/home/miniconda3/envs/superset/lib/python3.9/site-packages/spnego/_context.py", line 71, in wrapper raise SpnegoError(base_error=native_err, context_msg=context) from native_err spnego.exceptions.SpnegoError: SpnegoError (4294967295): Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529638919): Server krbtgt/EC2.INTERNAL@US.COTTICOFFEE.GLOBAL not found in Kerberos database, Context: Processing security token

How do we reproduce?

AWS EC2 superset add trino database (Remember to use fenced code blocks and consider placing in a gist if large)

Component versions (python-gssapi, Kerberos, OS / distro, etc.)

(Please include MIT/Heimdal/etc. and how you installed python-gssapi)

jborean93 commented 9 months ago

Sorry I missed this issue. This library is a wrapper for the gssapi C library and any validation of the ticket or server lookup is done at that lower level which we don't really have control over. The error indicates the server that was used with the SPN was krbtgt/EC2.INTERNAL@US.COTTICOFFEE.GLOBAL whereas your klist entry has it as US.COTTICOFFEE.GLOBAL@US.COTTICOFFEE.GLOBAL. We don't do any DNS lookups here, anything provided to this library is what is provided to the C gssapi library.

You'll have to investigate what is calling spnego here and the values it provides. You might even have some config values in the GSSAPI library being used, for example MIT krb5 has krb5.config.

sangetang commented 9 months ago

 邮件已收到,谢谢!祝你生活愉快!