krbcontext
Uncaught exception trying to obtain pre-existing credentials with Keytab Auth
The code near line 156 in context.py attempts to get existing credentials before it creates a temporary credentials cache
for keytab auth.
creds = gssapi.creds.Credentials(**creds_opts)
The above line triggers the following error:
File "/usr/local/lib/python3.7/dist-packages/krbcontext-0.10-py3.7.egg/krbcontext/context.py", line 156, in init_with_keytab
File "/usr/local/lib/python3.7/dist-packages/gssapi-1.6.12-py3.7-linux-x86_64.egg/gssapi/creds.py", line 64, in __new__
store=store)
File "/usr/local/lib/python3.7/dist-packages/gssapi-1.6.12-py3.7-linux-x86_64.egg/gssapi/creds.py", line 148, in acquire
usage)
File "gssapi/raw/ext_cred_store.pyx", line 186, in gssapi.raw.ext_cred_store.acquire_cred_from
gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (39756032): Principal in credential cache does not match desired name
You can recreate this error by simply:
-
kinit user1 - Use krbContext to authenticate as
user2withuser2.keytab. Passing the principal=user2
This error occurs because when gssapi looks into the existing cache with a credential of user and cannot find user2.
There just needs to be a try/catch around this line to resolve the issue.
Hi @bendemott
After rethinking of this issue, IMO, this error should be an actual problem you should have to handle. That means, krbContext should not overwrite an existing credential which has a valid ticket with different principal. This could avoid any potential problem due to the change to the credential by accident.
