requests-gssapi
requests-gssapi copied to clipboard
pythongssapi
Wrong realm name used in multi realm environments.
What went wrong?
I have an multiple realm environment with the realms:
- BAR.NET
- FOO.BAR.NET
Using BAR.NET will working as expected, but using FOO.BAR.NET will result in an realm mix. Instant of krbtgt/[email protected], krbtgt/[email protected] is requested for the TGT
How do we reproduce?
sample code:
import gssapi
import requests
from requests_gssapi import HTTPSPNEGOAuth
name = gssapi.Name("[email protected]", gssapi.NameType.user)
creds = gssapi.Credentials(name=name, usage="initiate")
gssapi_auth = HTTPSPNEGOAuth(creds=creds)
r = requests.get("https://<URL>", auth=gssapi_auth)
Client component versions (requests-gssapi, Kerberos, OS / distro, etc.)
OS: Fedora-39 requests-gssapi: python3-requests-gssapi-1.2.3-9.fc39.noarch
Realm config:
[realms]
FOO.BAR.NET = {
kdc = kdc-foo.bar.net
admin_server = kdc-foo.bar.net
}
KRB5_TRACE:
[128572] 1721036833.397733: Matching [email protected] in collection with result: 0/Success [128572] 1721036833.397734: Matching [email protected] in collection with result: 0/Success [128572] 1721036833.397735: Getting credentials [email protected] -> HTTP/<URL>@ using ccache KCM:1000 [128572] 1721036833.397736: Retrieving [email protected] -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:1000 with result: -1765328243/Matching credential not found [128572] 1721036833.397737: Retrieving [email protected] -> HTTP/<URL>@ from KCM:1000 with result: -1765328243/Matching credential not found [128572] 1721036833.397738: Retrying [email protected] -> HTTP/<URL>@FOO.BAR.NET with result: -1765328243/Matching credential not found [128572] 1721036833.397739: Retrieving [email protected] -> krbtgt/[email protected] from KCM:1000 with result: -1765328243/Matching credential not found [128572] 1721036833.397740: Retrieving [email protected] -> krbtgt/[email protected] from KCM:1000 with result: 0/Success [128572] 1721036833.397741: Starting with TGT for client realm: [email protected] -> krbtgt/[email protected] [128572] 1721036833.397742: Retrieving [email protected] -> krbtgt/[email protected] from KCM:1000 with result: -1765328243/Matching credential not found [128572] 1721036833.397743: Requesting TGT krbtgt/[email protected] using TGT krbtgt/[email protected] [128572] 1721036833.397744: Generated subkey for TGS request: aes256-cts/0842 [128572] 1721036833.397745: etypes requested in TGS request: aes256-sha2, aes128-sha2, aes256-cts, aes128-cts, camellia256-cts, camellia128-cts [128572] 1721036833.397747: Encoding request body and padata into FAST request [128572] 1721036833.397748: Sending request (1076 bytes) to FOO.BAR.NET [128572] 1721036833.397749: Resolving hostname
[128572] 1721036833.397750: Initiating TCP connection to stream <KDC>:88 [128572] 1721036833.397751: Sending TCP request to stream <KDC>:88 [128572] 1721036833.397752: Received answer (454 bytes) from stream <KDC>:88 [128572] 1721036833.397753: Terminating TCP connection to stream <KDC>:88 [128572] 1721036833.397754: Sending DNS URI query for _kerberos.FOO.BAR.NET. [128572] 1721036833.397755: No URI records found [128572] 1721036833.397756: Sending DNS SRV query for _kerberos-master._udp.FOO.BAR.NET. [128572] 1721036833.397757: Sending DNS SRV query for _kerberos-master._tcp.FOO.BAR.NET. [128572] 1721036833.397758: No SRV records found [128572] 1721036833.397759: Response was not from primary KDC [128572] 1721036833.397760: Decoding FAST response [128572] 1721036833.397761: TGS request result: -1765328377/Server krbtgt/[email protected] not found in Kerberos database [128572] 1721036833.397762: Retrieving [email protected] -> krbtgt/[email protected] from KCM:1000 with result: -1765328243/Matching credential not found [128572] 1721036833.397763: Retrieving [email protected] -> krbtgt/[email protected] from KCM:1000 with result: 0/Success [128572] 1721036833.397764: Starting with TGT for client realm: [email protected] -> krbtgt/[email protected] [128572] 1721036833.397765: Retrieving [email protected] -> krbtgt/[email protected] from KCM:1000 with result: -1765328243/Matching credential not found [128572] 1721036833.397766: Requesting TGT krbtgt/[email protected] using TGT krbtgt/[email protected] [128572] 1721036833.397767: Generated subkey for TGS request: aes256-cts/A633 [128572] 1721036833.397768: etypes requested in TGS request: aes256-sha2, aes128-sha2, aes256-cts, aes128-cts, camellia256-cts, camellia128-cts [128572] 1721036833.397770: Encoding request body and padata into FAST request [128572] 1721036833.397771: Sending request (1076 bytes) to FOO.BAR.NET [128572] 1721036833.397772: Resolving hostname <KDC> [128572] 1721036833.397773: Initiating TCP connection to stream <KDC>:88 [128572] 1721036833.397774: Sending TCP request to stream <KDC>:88 [128572] 1721036833.397775: Received answer (454 bytes) from stream <KDC>:88 [128572] 1721036833.397776: Terminating TCP connection to stream <KDC>:88 [128572] 1721036833.397777: Sending DNS URI query for _kerberos.FOO.BAR.NET. [128572] 1721036833.397778: No URI records found [128572] 1721036833.397779: Sending DNS SRV query for _kerberos-master._udp.FOO.BAR.NET. [128572] 1721036833.397780: Sending DNS SRV query for _kerberos-master._tcp.FOO.BAR.NET. [128572] 1721036833.397781: No SRV records found [128572] 1721036833.397782: Response was not from primary KDC [128572] 1721036833.397783: Decoding FAST response [128572] 1721036833.397784: TGS request result: -1765328377/Server krbtgt/[email protected] not found in Kerberos database [128572] 1721036833.397785: Getting credentials [email protected] -> HTTP/<URL>@ using ccache KCM:1000 [128572] 1721036833.397786: Retrieving [email protected] -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from KCM:1000 with result: -1765328243/Matching credential not found [128572] 1721036833.397787: Retrieving [email protected] -> HTTP/<URL>@ from KCM:1000 with result: -1765328243/Matching credential not found [128572] 1721036833.397788: Retrying [email protected] -> HTTP/<URL>@FOO.BAR.NET with result: -1765328243/Matching credential not found [128572] 1721036833.397789: Retrieving [email protected] -> krbtgt/[email protected] from KCM:1000 with result: -1765328243/Matching credential not found [128572] 1721036833.397790: Retrieving [email protected] -> krbtgt/[email protected] from KCM:1000 with result: 0/Success [128572] 1721036833.397791: Starting with TGT for client realm: [email protected] -> krbtgt/[email protected] [128572] 1721036833.397792: Retrieving [email protected] -> krbtgt/[email protected] from KCM:1000 with result: -1765328243/Matching credential not found [128572] 1721036833.397793: Requesting TGT krbtgt/[email protected] using TGT krbtgt/[email protected] [128572] 1721036833.397794: Generated subkey for TGS request: aes256-cts/1174 [128572] 1721036833.397795: etypes requested in TGS request: aes256-sha2, aes128-sha2, aes256-cts, aes128-cts, camellia256-cts, camellia128-cts [128572] 1721036833.397797: Encoding request body and padata into FAST request [128572] 1721036833.397798: Sending request (1076 bytes) to FOO.BAR.NET [128572] 1721036833.397799: Resolving hostname <URL> [128572] 1721036833.397800: Initiating TCP connection to stream <KDC>:88 [128572] 1721036833.397801: Sending TCP request to stream <KDC>:88 [128572] 1721036833.397802: Received answer (454 bytes) from stream <KDC>:88 [128572] 1721036833.397803: Terminating TCP connection to stream <KDC>:88 [128572] 1721036833.397804: Sending DNS URI query for _kerberos.FOO.BAR.NET. [128572] 1721036833.397805: No URI records found [128572] 1721036833.397806: Sending DNS SRV query for _kerberos-master._udp.FOO.BAR.NET. [128572] 1721036833.397807: Sending DNS SRV query for _kerberos-master._tcp.FOO.BAR.NET. [128572] 1721036833.397808: No SRV records found [128572] 1721036833.397809: Response was not from primary KDC [128572] 1721036833.397810: Decoding FAST response [128572] 1721036833.397811: TGS request result: -1765328377/Server krbtgt/[email protected] not found in Kerberos database [128572] 1721036833.397812: Retrieving [email protected] -> krbtgt/[email protected] from KCM:1000 with result: -1765328243/Matching credential not found [128572] 1721036833.397813: Retrieving [email protected] -> krbtgt/[email protected] from KCM:1000 with result: 0/Success [128572] 1721036833.397814: Starting with TGT for client realm: [email protected] -> krbtgt/[email protected] [128572] 1721036833.397815: Retrieving [email protected] -> krbtgt/[email protected] from KCM:1000 with result: -1765328243/Matching credential not found [128572] 1721036833.397816: Requesting TGT krbtgt/[email protected] using TGT krbtgt/[email protected] [128572] 1721036833.397817: Generated subkey for TGS request: aes256-cts/7B89 [128572] 1721036833.397818: etypes requested in TGS request: aes256-sha2, aes128-sha2, aes256-cts, aes128-cts, camellia256-cts, camellia128-cts [128572] 1721036833.397820: Encoding request body and padata into FAST request [128572] 1721036833.397821: Sending request (1076 bytes) to FOO.BAR.NET [128572] 1721036833.397822: Resolving hostname <URL> [128572] 1721036833.397823: Initiating TCP connection to stream <KDC>:88 [128572] 1721036833.397824: Sending TCP request to stream <KDC>:88 [128572] 1721036833.397825: Received answer (454 bytes) from stream <KDC>:88 [128572] 1721036833.397826: Terminating TCP connection to stream <KDC>:88 [128572] 1721036833.397827: Sending DNS URI query for _kerberos.FOO.BAR.NET. [128572] 1721036833.397828: No URI records found [128572] 1721036833.397829: Sending DNS SRV query for _kerberos-master._udp.FOO.BAR.NET. [128572] 1721036833.397830: Sending DNS SRV query for _kerberos-master._tcp.FOO.BAR.NET. [128572] 1721036833.397831: No SRV records found [128572] 1721036833.397832: Response was not from primary KDC [128572] 1721036833.397833: Decoding FAST response [128572] 1721036833.397834: TGS request result: -1765328377/Server krbtgt/[email protected] not found in Kerberos database
This library and python-gssapi doesn't have the logic for what TGT is used in an authentication request. What happens is the username "name" and the service "name" is provided to the C library which does all the Kerberos logic. The username "name" is provided through the gssapi.Credentials whereas the service "name" either provided explicitly through the target_name kwarg or built from the hostname of the first response.
https://github.com/pythongssapi/requests-gssapi/blob/93660c3f59c9955dabd0a208981329c2357930cd/src/requests_gssapi/gssapi_.py#L149-L154
Basically the default SPN used will be f"HTTP@{urlparse(response.url).hostname}" and that is what will be provided to GSSAPI. The actual logic for selecting what to use for the TGT is all inside the C library so you can specify a custom SPN through the target_name kwarg but how that SPN is used is up to the C library and how it reads the configuration.
The HTTP request will not been made as you can see in the log. Of course this will be the second step after getting the TGT. But the TGT parts fails.
The default operation for this library is to make the HTTP request and then handle the authentication on the first 401 response from the server.
https://github.com/pythongssapi/requests-gssapi/blob/93660c3f59c9955dabd0a208981329c2357930cd/src/requests_gssapi/gssapi_.py#L198-L209
You can set opportunistic_auth=True as a kwarg to build the auth header before the request but it's also going to just use the hostname of the request as part of the SPN to target. As I said this library doesn't do anything special to build the SPN. It simply takes the hostname from either the request or response and uses http@hostname which is provided to the C library. If that is producing the wrong mapping then your either need to configure the /etc/krb5.conf to map that hostname in some way to the realm it needs.
After debug with wire shark I found the problem. The underlying library was doing the call to can wrong KDC.