New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question] HTTP SPNEGO Authentication after kinit #328
Comments
From https://github.com/jcmturner/gokrb5/blob/master/client/client.go#L31 The comment mentions that setting the realm to empty string pulls the realm from the default config. I do not see anywhere that this actually happens though, and passing empty string throws an error instead. |
The password (or equivalent-ish, keytab) have a long expiry and are private knowledge. But the OS has already prompted for them. At OS login, the OS then gets a TGT. The TGT has a short expiry but the OS will usually periodically refresh it throughout the logon session. You can use the TGT from the OS to avoid prompting for the password/keytab. You can read the TGT on Linux, macOS, and MIT-Kerberos-for-Windows by using the Native Windows doesn't use the ccache file format, but you can still make use of the TGT via calling the native SSPI library. The https://github.com/dpotapov/go-spnego package wraps gokrb5 to provide "passwordless" SPNEGO using this. |
Thanks for the response! I had considered trying to load the CCache that exists natively on OSX, but it by default uses KCM/API and not a FILE cache, and thus does not have a path I am aware of I can pass to I believe that OSX keeps the key in it's own |
@mappu thanks for responding to this. You are right the credentials cache can be one option. |
Documentation appears to be pretty sparse - I've resorted to digging to the implementations in libcurl to try and understand how Heimdal (osx's version of krb5) handles it. If I come across an answer, I'll post it or file a PR. Thanks for the response! |
@MisterSpicy I'll close this issue. If you find out more information please reopen. thanks |
This is a Question, and not an "issue".
I'm on OSX, and am attempting to write a CLI to operate on a Kerberos enabled Hadoop cluster. I'm able to access the API through
curl --negotiate -u : <yadda>
after a typicalkinit
, but I can't seem to figure out how to accomplish the same thing using this library.It seems to use the SPNEGO client I need to create either new credential with passcode, with cache, or with keytab. I'm not totally sure how curl or Firefox/Chrome do it, but they don't seem to require excess permission beyond the first
kinit
.If I go through the full
NewClientWithPassword
flow, ask for a password, and do all that, it seems to work, but I'd rather not take the extra steps to keep asking for a password when already kinit-d.Thanks!
The text was updated successfully, but these errors were encountered: