[Question] HTTP SPNEGO Authentication after kinit

[MisterSpicy]

This is a Question, and not an "issue".

I'm on OSX, and am attempting to write a CLI to operate on a Kerberos enabled Hadoop cluster. I'm able to access the API through curl --negotiate -u : <yadda> after a typical kinit, but I can't seem to figure out how to accomplish the same thing using this library.

It seems to use the SPNEGO client I need to create either new credential with passcode, with cache, or with keytab. I'm not totally sure how curl or Firefox/Chrome do it, but they don't seem to require excess permission beyond the first kinit.

If I go through the full NewClientWithPassword flow, ask for a password, and do all that, it seems to work, but I'd rather not take the extra steps to keep asking for a password when already kinit-d.

Thanks!

[MisterSpicy]

From https://github.com/jcmturner/gokrb5/blob/master/client/client.go#L31

The comment mentions that setting the realm to empty string pulls the realm from the default config. I do not see anywhere that this actually happens though, and passing empty string throws an error instead.

[mappu]

The password (or equivalent-ish, keytab) have a long expiry and are private knowledge.

But the OS has already prompted for them. At OS login, the OS then gets a TGT. The TGT has a short expiry but the OS will usually periodically refresh it throughout the logon session. You can use the TGT from the OS to avoid prompting for the password/keytab.

You can read the TGT on Linux, macOS, and MIT-Kerberos-for-Windows by using the credentials.LoadCCache and client.NewClientFromCCache functions. The CCache path is normally in the KRB5CCNAME environment variable or in some hardcoded per-OS locations.

Native Windows doesn't use the ccache file format, but you can still make use of the TGT via calling the native SSPI library. The https://github.com/dpotapov/go-spnego package wraps gokrb5 to provide "passwordless" SPNEGO using this.

[MisterSpicy]

Thanks for the response!

I had considered trying to load the CCache that exists natively on OSX, but it by default uses KCM/API and not a FILE cache, and thus does not have a path I am aware of I can pass to credentials.LoadCCache. OSX also does not set KRB5CCNAME by default. I could possibly set it, but if I'm going to work around defaults, I may just use the keytab method.

I believe that OSX keeps the key in it's own Ticket Viewer from within the Keychain. Documentation is sparse, but obviously possible since applications like Chrome and Firefox are able to access it.

[jcmturner]

@mappu thanks for responding to this. You are right the credentials cache can be one option.
@MisterSpicy there is currently no integration with KCM/API. I am not very familiar with these. Do you have any documentation that could support developing against that?

[MisterSpicy]

Documentation appears to be pretty sparse - I've resorted to digging to the implementations in libcurl to try and understand how Heimdal (osx's version of krb5) handles it. If I come across an answer, I'll post it or file a PR. Thanks for the response!

[jcmturner]

@MisterSpicy I'll close this issue. If you find out more information please reopen. thanks