-
Notifications
You must be signed in to change notification settings - Fork 11
Decrypting_Error: Service key not available #1
Comments
Hi, What keys are exactly in the keytab? In particular including encryption type and kvno? We've seen gokrb5 being a bit picky around keytabs. Does that match up with the kvno/etype in the error message? |
Hi, the original keytab I was testing the plugin with contained about 6 instances of exactly the same key (the one for the principal I was using in the Should the |
I think the |
I've tried this as well (using an user account after Moreover, I think that the config should contain the service account pertaining to the keytab (as that's what the gokrb5 code checks if I understand it correctly); I wouldn't probably want to replace the service account in the plugin config each time another user wants to authenticate... |
It should be the service account that was used to generate the server keytab. So let's debug this. Stack trace is roughly:
|
Or rather, I'd try and build a minimal gokrb5 example that reads your keytab and prints out all the keys it has. |
Hello, thanks for the advice regarding re-compiling the gokrb5 module for debug output; it ultimately led me to the solution. The issue was that when using a principal of the I'll try to send a patch to also support this use case; many thanks for help with debugging this, @ah-! |
Did you get it to work? It sounds like this is something we should fix then, by similarly splitting the string in Do you want to send a PR? |
Yes, I managed to make it work (and actually retrieve a token from Vault using Kerberos, which is great). I manually generated a keytab with no service prefix in principal (i.e. only |
I am actually having this same problem. So what's the working approach pending when there is a fix @kristian-lesko ?
|
Understood @kristian-lesko . One thing though it seems you managed to get it working with the current setup based:
Just wondering if you could shed more light on the keytab creation step and how you then authenticate with python. Thanks. |
Hello, I'm using FreeIPA for access management, which includes keytab creation (using the ipa-getkeytab command). FreeIPA, however, only grants certificates with in the format With the patch linked above, the authentication works; without the patch, you can manually create a keytab with just the |
I'll have a look at how to integrate the fix best later. Until then what @kristian-lesko says is best, try it with a keytab with just one part. Although according to your log it's already just |
Thanks both. What I am struggling with is not knowing what's going on. I create keytab with:
Then on another node I log on as the service account and run the python code below:
python testing;
|
Does your If not, could you please double-check that your kvno and etype in the error message match with what's actually in the keytab? |
@kristian-lesko @ah- I got this to work in the end. Thanks both for your help. In all honestly I am not 100% sure of all the steps that made it to work but I will share them here.
|
Oh great, thanks for reporting back! So this seems like it was caused by different encryption schemes. I'm not quite sure how it picks the encryption method, maybe that's a server side setting, or you can control it during the gss steps? |
You might be able to control it via the gss steps, and yes it is a server side thing too. Googling showed we needed to enable aes256 in AD. The steps to doing this wasn't clear so stick what worked for now. |
This should all be fixed now so closing, feel free to open a new ticket if you find anything else. |
Hello,
I am having trouble configuring this plugin. I filled out the
auth/kerberos/config
path with the base64-encoded keytab file content and theservice_account
entry (in the formatHTTP/full.hostname@REALM.COM
). The plugin seems to be properly mounted, but when trying to authenticate against this backend (using both the example Python script from README and a customcurl
command call yields the same result), I receive the following error from the API:However, when I
klist -kt
the keytab used, the principal that I put into theservice_account
config entry is there.Has anybody seen such an issue, or do you have any idea how to resolve this? Thanks a lot.
The text was updated successfully, but these errors were encountered: