On 05/01/2017 04:10 PM, David A. Kovacic wrote: > The perl programs use Authen::Krb5::Admin and the python program uses > python-kadmin to try the tests - both of which use the Kerberos > libraries to implement the "init with keytab" routine to produce an > admin object with which we can manipulate principals, policies, etc.
python-kadmin does not appear to be able to use a non-default realm. Looking at the source code, PyKAdminObject_new() loads the default realm into the object's realm field (with no means of caller override), and in kadmin.c, the various kadm5_init_with_*() calls all provide an empty params object, not one with a realm set. Authen::Krb5::Admin looks like it might have the ability to use a non-default realm, but I'm not as familiar with Perl so it would take me a while to figure out the details. > When the realms DON'T match we are getting an error of > > {'errno': 43787566L, 'message': 'GSS-API (or Kerberos) error'} Unfortunately, the error messages for anything going through gssrpc (including kadmin) are terrible when there is an authentication failure; we haven't worked out a way to surface the actual error through that library. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos