Giter VIP home page Giter VIP logo

kerberos-sspi's Introduction

kerberos-sspi

This Python package is API level equivalent to the kerberos python package but instead of using the MIT krb5 package it uses the windows sspi functionality. That allows your server and/or client that uses the kerberos package to run under windows by alternatively loading kerberos-sspi instead of the kerberos package.

(If you use python with cygwin you probably just use the original kerberos package with a compiled MIT kerberos package.)

How to use it

Here is an example:

try:
    import kerberos as k
except:
    import kerberos_sspi as k

from base64 import encodestring, decodestring

flags=k.GSS_C_CONF_FLAG|k.GSS_C_INTEG_FLAG|k.GSS_C_MUTUAL_FLAG|k.GSS_C_SEQUENCE_FLAG

errc, client = k.authGSSClientInit("test@vm-win7-kraemer", gssflags=flags)

# to run a kerberos enabled server under my account i do as domain admin:
#  setspn -A test/vm-win7-kraemer MYDOMAIN\kraemer
# (might have to wait a few minutes before all DCs in active directory pick it up)
errs, server = k.authGSSServerInit("test@vm-win7-kraemer")

cres = sres= k.AUTH_GSS_CONTINUE
response = ""
round = 0
while sres == k.AUTH_GSS_CONTINUE or cres == k.AUTH_GSS_CONTINUE:

    if cres == k.AUTH_GSS_CONTINUE:
        cres = k.authGSSClientStep(client, response)
        if cres == -1:
            print( "clientstep error")
            break
        response = k.authGSSClientResponse(client)
    if sres == k.AUTH_GSS_CONTINUE:
        sres = k.authGSSServerStep(server, response)
        if sres == -1:
            print( "serverstep error")
            break
        response = k.authGSSServerResponse(server)

    print( "round:", round)
    print( "server status :", sres)
    print( "client status :", cres)
    round += 1

if sres == k.AUTH_GSS_COMPLETE and cres == k.AUTH_GSS_COMPLETE:
    print( "client: my username:", k.authGSSClientUserName(client))
    print( "server: who authenticated to me:", k.authGSSServerUserName(server))
    print( "server: my spn:", k.authGSSServerTargetName(server))
else:
    print("failed!")

What's not working

The methods:

  • changePassword
  • getServerPrincipalDetails

are not implemented and throw an exception

The flags:

  • GSS_C_ANON_FLAG
  • GSS_C_PROT_READY_FLAG
  • GSS_C_TRANS_FLAG

are not supported (and are not defined either so aceessing them will throw an exception as well). Why? I couldn't find corresponding ISC_REQ_* for these flags...

kerberos-sspi's People

Contributors

may-day avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

nicodeslandes schlenk theho offa stevehof j5int

kerberos-sspi's Issues

authGSSClientInit() doesn't accept the 'principal' kwarg

pykerberos accepts an optional principal argument to authGSSClientInit(), but kerberos-sspi doesn't:

C:\Users\bmachie\AppData\Local\Continuum\Miniconda3\envs\ml_irissearch\lib\site-packages\puresasl\mechanisms.py in __init__(self, sasl, p
rincipal, **props)
    444             _, self.context = kerberos.authGSSClientInit(service=krb_service,
--> 445                                                          principal=self.principal)
    446         except TypeError:

TypeError: authGSSClientInit() got an unexpected keyword argument 'principal'

Interpreter segfault in authGSSClientUnwrap

Environment (everything that I tried):
Windows 7, Server 2008R2 (both 64 bit)
Python 2.6, 2.7 (both 32 and 64 bit)
pywin32 218 (I also tried 214, the last version listed on pypi)

The VS2008 debugger reports "Unhandled exception at 0x77a8331f in python.exe: 0xC0000005: Access violation reading location 0xffffff05." pointing to a call to HeapFree in msvcr90.dll.

The code I'm trying to use kerberos-sspi with is here:
https://github.com/mongodb/mongo-python-driver/blob/master/pymongo/auth.py#L66-L141

I don't know enough about Microsoft's SSPI API to tell if the problem is in kerberos-sspi or pywin32 itself. Let me know what I can do to help debug this since I already have a test environment set up.

% missing

Hi, it seems that a % is missing here:

kerberos-sspi/kerberos_sspi.py

Line 64 in 6a5b502

service = "%s@%s" (service, (realm or defaultrealm).upper())

service = "%s@%s" (service, (realm or defaultrealm).upper())
->
service = "%s@%s" % (service, (realm or defaultrealm).upper())

Mismatch between kerberos-sspi and pykerberos module for authGSSServerUserName

Having a Linux / Windows cross platform app which uses kerberos-sspi for the Windows side and pykerberos for the Linux side, I see a major difference when authenticating against an AD Server.

On Windows, krb5.authGSSServerUserName() returns a value like:

NTSERVER\msc

on Linux it is:

msc@NTSERVER

This obviously is a problem when using kerberos-sspi as a drop-in replacement for pykerberos on Windows. In both cases it is 'NT Domain Name' + 'sAMAccountName', but combined in different ways. As one usually is after this name to know who the user really is, this is unfortunate, as it forces special handling for windows/linux again.

So depending on how you define the claimed 'API level equivalent' API, this is either a bug or a surprising feature.

Replace the requirement pywin32

Pywin32 is not available though pip, and it is only installable through an .exe file, meanwhile, there is a wheel package created originally for Twisted called pypiwin32, can you please replace the requirement pywin32 with pypiwin32, so the hole process can be automated.

pypiwin32 seems working fin with my Kerberos setup under windows
Cheers,

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.