Hi Team, I have installed the
i) FreeIPA server which internally has the kerberos server in Machine 1 and ii) Installed the Free IPA client which internally has the kerberos client in Machine 2 I configured using the link : https://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/ and It is successfully configured. When I try to test this using the python code http://python-notes.curiousefficiency.org/en/latest/python_kerberos.html#wrapping-this-up-in-a-helper-class While verifying In the first negotiation, I get the following ticket in header with 401 unauthorized error, Negotiate YIIEsQYJKoZIhvcSAQICAQBuggSgMIIEnKADAgEFoQMCAQ6iBwMFACAAAACjggOuYYIDqjCCA6agAwIBBaEQGw5NU1lTSVBBUUNTLkNPTaIrMCmgAwIBA6EiMCAbBEhUVFAbGG9wZW5zdGFjay5tc3lzaXBhcWNzLmNvbaOCA14wggNaoAMCARKhAwIBAaKCA0wEggNIq+XqxtoG1oqytbke8GM8YnGMPP9pbp8iLUmmvBRPWf4aoHxVbLgnyUqgN5Q/dAK8lR92qd7XHNRRdKusKSBE+Efc4Ws2pV9mLt36iY+AydCtz8gb7Bk7cHpLPBAfd5y2D2gR3yMyHkCVPiGdkPA0IN4Br6z15dr/guv1TJXMEc6VJOS/Rj1fFeidBvD6IhmWmfx6HtezG64zbhVfK7QkZv36gcyqSXlDK9z5y7vwKb5qfdXd2gX9cH/W9fC14eUoQSgFmB9z/s0wijHBrQruEWuF0PUx61rlqpP44d8S+3FCH6fk3lVmeOpvDObNgC+q4guoKhAYKQPA+DBE2foCL2ceLDwgfN/FhJ5UysGbWGAMY7YZbp8HlOORPl3roFMTzpg1htoxDDL6hVLInxcze9XNDwgYhAdlgun+9a5MEjwd9u7jTjK2EKmAKq+3kW0ozKRexPbD2nxvwN1YxsFZ96WWQpB/uF0Pe3g0JQCbjzeNeZGyrKa1GF7QPWdTJfxTqx7T3vqbNUXvdZhfcBy4aQQu50Qsvk9sPxxdgrDBPOeBerSiYOVOqEG88HGIx1YLqDVyqteasGzVFSUlE5Xk0503k3DmGozuheXSxrT/dtqxSQ1HeBiv93LdDDVKLyjN8gnC/hocGKeCHRyDK0tv0gNp7JaEsqcs+JTr4rQ45UbK7tJd5ZKdSKOOPwJJOVNyFW0Vk347yO/BGsBK8Bcec0buhJa7iGq0zFhQG/fThTnvwXJeA7WhiBoq51EopGDOYlZ8IwZFnkn! rvdF0Ou+8X7wVW2xQnC4Nr1smu+M2x3Fe3g71nDvnhZCrQuN4sl50WGMYesjFLEMO8FwZj2bb6onpBbFXZtszAobHDfMsM+tVhW36267RH2Bp/EpjmbZrTe/70QQ2JzxPc1tcOPM4BDj6vymsB4Vma4voG92DnwMywVa8zGatqJEo6rMhnRdEXwIyP8/XH1x7zuok7xHNad30uCojReJ8x9FTttbqUTEWh7AwZf7JhAmXHWlKp5jqD/ItcHvB02FyyUNVLcb92TB3wBJoZPDenssCr0+vZUbaiPUjMYLtORQmIGQHbfXYZJgR+MTzlTRRuG7c/K5bDdOq4I+y9awWpIHUMIHRoAMCARKigckEgcbT1IsX4VKDJUcFxlrpZ40sW7+s+iArC2WVFF8/e29+bSX6ydObxtu4a6YfYWRsYa1tXTYWBOVm0kv9Z1nCmb0BrZ7+I1YWw1Arw7BDBmh3KVPnrHO8ZtJsV8Nagr6xjXf8RXK846Ix5cQpRSXtQkkfWuy82RSZOCtjImtFhUeriGf4hDEYFrZGv9MP+qDiGQHDJ8op0/t33CtZv1C/6E2oVcHDdysjw5q9G3b4vKUsZ2LRC+QhaGaYOBp1ZwDAlS5oZ+I4GyM= then in the second negotiation, I get the following token in the header, {'Content-Length': '381', 'Keep-Alive': 'timeout=15, max=99', 'Server': 'Apache/2.4.6 (CentOS)', 'Connection': 'Keep-Alive', 'Date': 'Thu, 03 Jan 2019 18:43:26 GMT', 'Content-Type': 'text/html; charset=iso-8859-1', 'WWW-Authenticate': 'Negotiate YHkGCSqGSIb3EgECAgMAfmowaKADAgEFoQMCAR6kERgPMjAxOTAxMDMxODQzMjZapQUCAwVXdKYDAgEhqRAbDk1TWVNJUEFRQ1MuQ09NqiswKaADAgEBoSIwIBsESFRUUBsYb3BlbnN0YWNrLm1zeXNpcGFxY3MuY29t'} then It *passes* the following code, 1) kerberos.*authGSSClientInit*, As a response for this authGSSClientInit in the header, I receive the following ticket, It *fails* in the following part of the code, 2) kerberos.*authGSSClientStep*(krb_context, auth_details) with the error as follows, generate_request_header(): authGSSClientStep() failed: Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 148, in generate_request_header _negotiate_value(response)) *GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))* Finale Error .................................... (('Invalid token was supplied', 589824), ('Success', 100001)) Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 148, in generate_request_header _negotiate_value(response)) GSSError: (('Invalid token was supplied', 589824), ('Success', 100001)) handle_401(): returning <Response [401]> handle_response(): returning <Response [401]> handle_response() has seen 1 401 responses handle_response(): returning 401 <Response [401]> Request returned failure status: 401 Unauthorized (HTTP 401) clean_up IssueToken: Unauthorized (HTTP 401) END return value: 1 *But I didn't understand this error, what is the reason for this error ? How to rectify this error? * *FYI*, [root@openstack ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: rdoad...@xxxxxxxx.com Valid starting Expires Service principal 2019-01-04T08:12:17 2019-01-05T08:02:16 HTTP/ openstack.xxxxxxxx....@xxxxxxxx.com 2019-01-04T08:02:18 2019-01-05T08:02:16 krbtgt/xxxxxxxx....@xxxxxxxx.com Thanks, Any help is appreciated. Hari -- DISCLAIMER - *MSysTechnologies LLC* This email message, contents and its attachments may contain confidential, proprietary or legally privileged information and is intended solely for the use of the individual or entity to whom it is actually intended. If you have erroneously received this message, please permanently delete it immediately and notify the sender. If you are not the intended recipient of the email message,you are notified strictly not to disseminate,distribute or copy this e-mail.E-mail transmission cannot be guaranteed to be secure or error-free as Information could be intercepted, corrupted, lost, destroyed, incomplete or contain viruses and MSysTechnologies LLC accepts no liability for the contents and integrity of this mail or for any damage caused by the limitations of the e-mail transmission. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos