You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@qpid.apache.org by tkdchen <qc...@gmail.com> on 2011/12/23 04:57:54 UTC

Can /etc/krb5.keytab be discovered automatically when using GSSAPI

Hi all,

I'm using python-qpid to integrate message bus with a django site. The
site must connect a QPID broker in a kerberos enviroment, so I pass
sasl_mechanisms='GSSAPI' to Connection to construct an instance.
As the subject, I want to know when the script runs on server, whether
the /etc/krb5.keytab can be discovered automatically, or there is
something else need to be done via extra Python script codes.

Merry Christmas!
Thanks!
Chenxiong Qi

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

Re: Can /etc/krb5.keytab be discovered automatically when using GSSAPI

Posted by tkdchen <qc...@gmail.com>.

在 2012年1月3日 下午10:52，Gordon Sim <gs...@redhat.com> 写道：
> On 01/03/2012 02:32 PM, tkdchen wrote:
>> according to my understand to the Kerberos V5 documentation on
>> the keytab file, the default krb5.keytab exists for service and host
>> server, and it should have been discovered by GSSAPI or other API in
>> my opinion, but it seems that doesn't work like what I thought.
>
> By default it is only readable by root; might that be the issue?
>

I see. :) Thank you very much.

> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project:      http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.apache.org
>

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

Re: Can /etc/krb5.keytab be discovered automatically when using GSSAPI

Posted by Gordon Sim <gs...@redhat.com>.

On 01/03/2012 02:32 PM, tkdchen wrote:
> according to my understand to the Kerberos V5 documentation on
> the keytab file, the default krb5.keytab exists for service and host
> server, and it should have been discovered by GSSAPI or other API in
> my opinion, but it seems that doesn't work like what I thought.

By default it is only readable by root; might that be the issue?

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

Re: Can /etc/krb5.keytab be discovered automatically when using GSSAPI

Posted by tkdchen <qc...@gmail.com>.

在 2012年1月3日 下午7:41，Gordon Sim <gs...@redhat.com> 写道：
> On 12/23/2011 03:57 AM, tkdchen wrote:
>>
>> Hi all,
>>
>> I'm using python-qpid to integrate message bus with a django site. The
>> site must connect a QPID broker in a kerberos enviroment, so I pass
>> sasl_mechanisms='GSSAPI' to Connection to construct an instance.
>> As the subject, I want to know when the script runs on server, whether
>> the /etc/krb5.keytab can be discovered automatically, or there is
>> something else need to be done via extra Python script codes.
>
>
> I believe you will still have to kinit to obtain a ticket. You can specify
> the key tab to use with the -t option to kinit.
>

Yes. This is my solution now. I have to run kinit to put ticket into
the credential cache /tmp/krb5cc_[uid] regularly, and I decided to do
this task in crontab. Thanks!
BTW: according to my understand to the Kerberos V5 documentation on
the keytab file, the default krb5.keytab exists for service and host
server, and it should have been discovered by GSSAPI or other API in
my opinion, but it seems that doesn't work like what I thought. :)

> ---------------------------------------------------------------------
> Apache Qpid - AMQP Messaging Implementation
> Project:      http://qpid.apache.org
> Use/Interact: mailto:users-subscribe@qpid.apache.org
>

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org

Re: Can /etc/krb5.keytab be discovered automatically when using GSSAPI

Posted by Gordon Sim <gs...@redhat.com>.

On 12/23/2011 03:57 AM, tkdchen wrote:
> Hi all,
>
> I'm using python-qpid to integrate message bus with a django site. The
> site must connect a QPID broker in a kerberos enviroment, so I pass
> sasl_mechanisms='GSSAPI' to Connection to construct an instance.
> As the subject, I want to know when the script runs on server, whether
> the /etc/krb5.keytab can be discovered automatically, or there is
> something else need to be done via extra Python script codes.

I believe you will still have to kinit to obtain a ticket. You can 
specify the key tab to use with the -t option to kinit.

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:users-subscribe@qpid.apache.org