https://tools.ietf.org/html/rfc6806.html#section-7

I get a panic in this line if the Principal name has fewer components but leading components match what's in the keytab:

/home/fst/GoApps/src/github.com/jcmturner/gokrb5/keytab/keytab.go:55 +0x59c

This is my local fix:

index 6f9fd66..bab1a97 100644
--- a/keytab/keytab.go
+++ b/keytab/keytab.go
@@ -51,11 +51,15 @@ func (kt *Keytab) GetEncryptionKey(nameString []string, real
        for _, k := range kt.Entries {
                if k.Principal.Realm == realm && int(k.Key.KeyType) == etype && 
                        p := true
-                       for i, n := range k.Principal.Components {
-                               if nameString[i] != n {
-                                       p = false
-                                       break
+                       if len(nameString) == len(k.Principal.Components) {
+                               for i, n := range k.Principal.Components {
+                                       if nameString[i] != n {
+                                               p = false
+                                               break
+                                       }
                                }
+                       } else {
+                               p = false
                        }
                        if p {
                                key = k.Key

Hi,

I'm receiving following error if I perform client.Login() for a user with realm that not matching default_realm in configuration:

[Root cause: Encoding_Error] Encoding_Error: AS Exchange Error: failed to process the AS_REP: [KRB Error: (6) KDC_ERR_C_PRINCIPAL_UNKNOWN Client not found in Kerberos database]

https://tools.ietf.org/html/rfc6806.html#section-8

When using the gokrb5 libarary, how come the ticket and SPN doesn't show up in klist?

When I do a klist first, I see my credential cache, then I do a curl -u --negotiate u: http://foo.org and I authentication. Then when i do a klist I see the credential again. Howwever, when I use gokrb5 I don't see it.

Btw, the client library works, just curious why I don't see the certificate.

Do you have an example of parsing client credentials cache files with kinit?

Once I figured out #56 my next error is that my test client gets the error client krb5 config does not have any defined KDCs for the default realm. My /etc/krb5.conf simply has the following:

[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 default_realm = EXAMPLE.COM
---8<---

[realms]
 EXAMPLE.COM = {
 }

which means the KDC's are located using DNS SRV records, i.e. _kerberos._tcp.example.com, (it's a Windows AD environment).

For now I've just done the lookup manually with dig and added them to the configuration file but would you be open to this as an enhancement?

Hey,

I have a SPNEGO flow that worked fine for some user but suddenly I started to get this error:

SID revision value read as 4 when it must be 1

In parallel I tried with other user and it worked fine, but i'm not sure what causing the SID.revision to be 4 instead of 1 for a specific user (tried purging klist ticket, etc... nothing works)
Any clue what could have caused this ?
Microsoft papers don't say much except that revision value in SID should be 0x1 but it is not and I'm a bit clueless,

Thanks,

Asaf.

Hey,

First of all, thanks for this library, no more native dependencies in our stack :-)

We could successfully use it with ApacheDS but fail with AD,

First, we created a Keytab using the following command:
ktpass -princ HTTP/[email protected] -mapuser ad_sso_user -crypto AES-128-SHA1 -ptype KRB5_NT_PRINCIPAL -pass passw0rd -out c:\temp\my.ketab

(etype for this AES-128-SHA1 is 0x11)

With AD, the 2nd HTTP roundtrip has the token header but fails on this line

Seems like gokrb5 expects 1.2.840.113554.1.2.2 while we receive from KDC 1.2.840.48018.1.2.2, seems like this OID is a krb5 with legacy bit.

No idea what causing AD to use this OID instead of the expected krb5 OID (any clue?)

Trying to comment out this condition we failed on:

Could not get key from kteytab: Matching key not found in keytab. Looking for [HTTP myvm.mydomain.corp] realm: MYDOMAIN.CORP kvno: 3 etype: 23

Not sure why ticket contains etype: 23 while keytab was generated with etype: 17,

So we tried to generate a keytab with RC4-HMAC-NT etype, which is 23, we fail on this line with:

Unknown or unsupported checksum type: 4294967158

Seems like we fail on pac type check

It seems like pac.ServerChecksum.SignatureType value is 4294967158 while pac_type.go and crypto expects checksum types that corresponds to etypes,

Any clue how to proceed from here ?

Thanks,

Asaf.

math/rand is predictable so should be replaced with crypto/rand

math/rand is currently used in:

• client/network.go
• messages/KDCReq.go
• types/Authenticator.go

  conf, err := config.Load("/etc/krb5.conf")
  cc, err := credentials.LoadCCache("/tmp/krb5cc_20115788")
  fmt.Println(cc.GetClientPrincipalName())
  cl, err := client.NewClientFromCCache(cc)
  if err != nil {
    panic(err)
  }
  cl.WithConfig(conf)

Can i pass cl to multiple go routines? The go routines will be doing something like

  r, _ := http.NewRequest("GET", "http://kerberized.end.point", nil)
  cl.SetSPNEGOHeader(r, "")
  httpResp, err := http.DefaultClient.Do(r)
  defer httpResp.Body.Close()

"GetServiceTicket makes a request to get a service ticket for the SPN specified and The ticket will be added to the client's ticket cache", will there be a race condition here? or in any other place.

Can the library support tcp request？I wan‘t to use gokrb5 to connect kafka，can you give me a test sample？Thank you very much.

gokrb5/config can't read empty lines within a section nor configs containing "v4_name_convert", see http://web.mit.edu/quentin/krb5-config/krb5.conf

Support referral contained in KDC_ERR_WRONG_REALM message

Hi,
I am trying to understand how to calculate checksum in authenticator for AP_REQ and from current documentation is not really clear what GetChecksumHash (if I understand correct, this method should be used for calculating checksum) method parameters are:

So:

• not clear what is protocolKey parameter?
• if I understand correct, data is marshaled data from messages.Ticket.EncPart. Ticket got here

  gokrb5/client/TGSExchange.go

  Line 64 in ab3cf9b

  func (cl *Client) GetServiceTicket(spn string) (messages.Ticket, types.EncryptionKey, error) {

• what isusage parameter?

Thank you in advance!

Hi,

If I have unsupported enctype in the first place of my krb5.conf, the program panics:

default_tgs_enctypes = des-cbc-crc rc4-hmac

It panics because there is no error check in krb5Token.go line 130 and etype is nil:

	etype, _ := crypto.GetEtype(keyType)
	auth.GenerateSeqNumberAndSubKey(keyType, etype.GetKeyByteSize())

Is it possible to ignore unsupported enctypes in default_tgs_enctypes config parameter?

Thanks in advance!

Creating a client from a password rather than a keytab...

cl := client.NewClientWithPassword("user", "EXAMPLE.COM", "password")

... and using rc4-hmac as an enctype, results in:

GOKRB5 Client: 2017/11/27 15:29:39 test.go:29: Error on AS_REQ: [Root cause: Encrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: failed setting AS_REQ PAData for pre-authentication required < Encrypting_Error: Error getting key from credentials: [Error deriving key from string: Invalid s2kparams length]

This was alluded to in #58; I'm trying to use this library to be able to perform dynamic DNS updates that are signed using RFC 3645 GSS-TSIG. According to the RFC, the GSSAPI calls I should be using are GSS_Init_sec_context(), GSS_GetMIC() and/or GSS_VerifyMIC(). I can't find these by name in your library but the "Generic Kerberos Client" section in the README seems to read like it's the same flow, particularly the final bit:

Now send the AP_REQ to the serivce. How this is done will be specific to the application use case.

This would be (I think) where I send the first TKEY DNS query to the target DNS server. I've captured DNS traffic generated by nsupdate -g and looking at it with Wireshark shows the same; there's a TKEY query that has the ID KRB5_AP_REQ so it looks like my first step is to send that AP_REQ in a DNS query.

However, I'm not sure what to do about setting the checksum on the authenticator, or is that the equivalent to GSS_VerifyMIC() for the reply(ies) from the server?

Any pointers appreciated.

Hi,

I saw there was an issue recently closed about building on 32-bit systems. Just tried to test it and it seems there is an error still:

$ GOARCH=386 go build gopkg.in/jcmturner/gokrb5.v3/crypto
# gopkg.in/jcmturner/gokrb5.v3/crypto
../go/src/gopkg.in/jcmturner/gokrb5.v3/crypto/crypto.go:61: constant 4294967158 overflows int

Would be good to have a fix.
Thanks.

ok, so I caveat this with "I'm new to Krb5 authentication" and "Its likely a misconfiguration on my end". I have a need to set up a simple Kerberos token mechanism in order to connect a Go microservice running in a linux docker container to an MS SQL Server that requires a domain login.

I have a dedicated domain "service account" that can successfully log in using kinit via command-line, however, using the same credentials in the following code-snippet produces:

[Root cause: Networking_Error] Networking_Error: AS Exchange Error: failed sending AS_REQ to KDC: failed to communicate with KDC. Attempts made with UDP (no KDCs defined in configuration for realm ) and then TCP (no KDCs defined in configuration for realm )

The snippet of code is:

	cfg, err := config.Load("/etc/krb5.conf")
	if err != nil {
	    logger.Log("Error", err)
        }
	cl := client.NewClientWithPassword(userCreds.kdcLogin, kdcDomain, userCreds.kdcPasswd)
	cl.WithConfig(cfg)
	if err := cl.Login(); err != nil {
	    logger.Log("Error", err)
        }

It doesn't seem to make any difference if my userCreds.kdcLogin contains "[email protected]" or "my_service_account" (sans '@Domain').

Again, I CAN log in via CLI using kinit with the credentials specified, but when running it via the GoLang microservice, I can't successfully log in.

If it helps, here is a paste of my /etc/krb5.conf file:

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = WINDOWSKDCDOMAIN
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
WINDOWSKDCDOMAIN = {
kdc = MYDC.MYCOMPANY.COM:88
}

I've tried this WITH and WITHOUT domain_realm section, and it makes ZERO difference.

This might be useful for the config package to augment Load.

For example, config, err := config.LoadFromDefaultLocations(), which would attempt to load configuration from the following locations:

The file paths are from these 2 references:

• https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html
• https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/rsec_SPNEGO_config_krb5.html

Calling GetServiceTicket with, for example, only a service string (ie, GetServiceTicket("hdfs") results in a panic:

panic: runtime error: index out of range

goroutine 1 [running]:
gopkg.in/jcmturner/gokrb5.v3/client.(*Client).GetSessionFromPrincipalName(0xc420081cb0, 0x1, 0xc420011430, 0x1, 0x1, 0x1, 0x1, 0x0)
/home/go/src/gopkg.in/jcmturner/gokrb5.v3/client/session.go:140 +0x159
gopkg.in/jcmturner/gokrb5.v3/client.(*Client).GetServiceTicket(0xc420081cb0, 0x12f7284, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/home/go/src/gopkg.in/jcmturner/gokrb5.v3/client/TGSExchange.go:77 +0x1c0
main.main()
/home/go/Documents/workspace/go-krb-sandbox/krb-auth.go:55 +0x445

It's relatively minor as such a call should not happen anyway (I ran into it after doing a copy-paste mistake) but the function could be slightly more polite and return an error with a helpful message.

(happens with gokrb5.v3 and go version 1.9.2)
Happy to do a PR if this is meaningful.

Howdy!

I need to bundle something cross-platform that can serve the most basic function of Kinit, specifically, getting a TGT from the KDC and putting it in the ticket cache.

Is it easy to either combine or modify elements of this library to mimic that behavior? It appears that all TGT caching occurs within the go process.

Doing some benchmarking and I plan to create few hundred go routines.

What is the preffered way to call the GET call while setting the SPNEGO header

r, _ := http.NewRequest("GET", "http://host.test.gokrb5/index.html", nil)
spn := ""
cl.SetSPNEGOHeader(r, spn)
HTTPResp, err := http.DefaultClient.Do(r)

should i go inside each goroutine? or do I have to just set the SetSPNEGOHeader only once?

Enhancement request:
Add functions to marshal the keytab to bytes and also write to to disk.

Here's my test client that I'm trying to get working against my Windows 2012r2 AD environment which I figure should be the bare minimum that should work:

package main

import "gopkg.in/jcmturner/gokrb5.v2/config"
import "gopkg.in/jcmturner/gokrb5.v2/client"
//import "gopkg.in/jcmturner/gokrb5.v2/keytab"
import "log"
import "os"

func main() {
        l := log.New(os.Stderr, "GOKRB5 Client: ", log.Ldate|log.Ltime|log.Lshortfile)

        cfg, err := config.Load("/etc/krb5.conf")
        if err != nil {
                l.Printf("Error on config: %v\n", err)
        }

        //kt, err := keytab.Load("/home/user/nsupdate.keytab")
        //if err != nil {
        //        l.Printf("Error on keytab: %v\n", err)
        //}

        cl := client.NewClientWithPassword("user", "EXAMPLE.COM", "password")
        cl.WithConfig(cfg)
        err = cl.Login()
        if err != nil {
                l.Printf("Error on AS_REQ: %v\n", err)
        }
}

With this I get the error Error on AS_REQ: [Root cause: Encrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: failed setting AS_REQ PAData for pre-authentication required < Encrypting_Error: Error creating etype: [Unknown or unsupported EType: 26]. Looking up EType 26 suggests it's one of the Camellia ciphers camellia256-cts-cmac (defined in RFC 6803), I'm a bit suprised as all my searching suggests Windows doesn't support that.

I've found if I edit the user in AD and tick the option Do not require Kerberos preauthentication then I get this different error Error on AS_REQ: [Root cause: KRBMessage_Handling_Error] KRBMessage_Handling_Error: AS Exchange Error: AS_REP is not valid < KRBMessage_Handling_Error: KDC did not respond appropriately to FAST negotiation. Now I'm a bit stuck. I'd like to eventually use a keytab but for now I'm just trying to get it passing with a password.

Ultimately, I'm trying to work out if it's possible to use your library along with github.com/miekg/dns to be able to perform GSS-TSIG DNS updates to a Windows DNS/AD server as they don't support normal key-based TSIG updates like BIND does or otherwise require you to turn off secure DNS updates altogether, which won't be an option. I can currently do this manually with a combination of ktutil, kinit and nsupdate -g but I would like a Go equivalent.

You might be able to tell me straight off if your library has enough of the GSSAPI implemented for me to even do that.

Great library @jcmturner

I'm having a little trouble with selecting keys from the keytab on the client side, because you have to know the correct KVNo ahead of time. Which is, of course, possible to lookup but is a little fiddly.

I couldn't see in the RFC what is the suggested approach for this, but generally when using krb5 libraries you just create a keytab entry with a kvno of (say) 1 and everything works.

Haven't seen the mechanism other libraries are taking around this, not sure if you're away of any? One possible solution would be to take newest key of the correct principal and cipher suite if an exact match including the version failed at keytab.go:52?

Happy to raise a PR, but would like your view first.

Hi,

I'm trying to authenticate to a web service in a different Realm other than client:

// krb5.conf has a default realm AAA.CORP.COM and all other realms under [realms] section
cfg, err := config.Load("C:\\krb5.conf")
cl := client.NewClientWithPassword("user", "AAA.CORP.COM", "password")
cl.WithConfig(cfg)
r, _ := http.NewRequest("GET", "https://service.bbb.corp.com/", nil)
cl.SetSPNEGOHeader(r, "HTTP/service.bbb.corp.com")

Request fails with 401 - Unauthorized error.

If I use client's credential in bbb.corp.com realm - everything works.

I was trying also to specify full SPN for a web service like this:

cl.SetSPNEGOHeader(r, "HTTP/[email protected]")

does not work either.

Thanks.

There is a typo at

I was trying to use your library and my test code was generating the error client krb5 config does not have a default realm. My /etc/krb5.conf does have the default_realm setting, here's the relevant bit:

---8<---
[libdefaults]
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false

 default_ccache_name = FILE:/tmp/krb5cc_%{uid}


 default_realm = EXAMPLE.COM
[realms]
---8<---

I tracked down the problem to the fact there's no blank line between default_realm and the following [realms] section. If I add one then my test code gets further. I looked through the krb5.conf(5) man page and couldn't see anything that mandated there should be a blank line before subsequent sections but the example in the man page does have that.

I'm going to clean up the /etc/krb5.conf at my end as it looks untidy but I thought I'd raise the issue here in case it's a small bug in the parser.

I want to use gohbase client to access a hbase cluster with kerberos, however, I am confused with integrating gokrb5 and gohbase.

Implement the ability to request tickets that can only be used from the client's IP addresses.

This needs the ability to set the "addresses" field in the AS_REQ's request body to the client's local IP addresses

Hi,

When [realms] section is last in the config file, it is not detecting last realm:

[libdefaults]
...

[domain_realm]
...

[realms]
 TEST.GOKRB5 = {
  kdc = 10.80.88.88:88
 }
 EXAMPLE.COM = {
        kdc = kerberos.example.com
 }

Test fails:

--- FAIL: TestLoad (0.65s)
	assertions.go:239: 
	Error Trace:	krb5conf_test.go:66
	Error:      	Not equal: 
	            	expected: 2
	            	actual: 1
	Messages:   	Number of realms not as expected

I've just realized that my KDC (ActiveDirectory) not closes connection when responding to ticket request.
As the result this io.Copy() operation takes 5 seconds on every call:

conn.SetDeadline(time.Now().Add(time.Duration(5 * time.Second)))
...
io.Copy(&rBuf, conn)

network.go, func sentTCP()

Hello,

krb5conf fails to parse [realms] section with auth_to_local RULE definition like:

    auth_to_local = RULE:[1:$1@$0](.*@EXAMPLE.COM)s/.*//

It seems the root cause is square brackets, which are interpreted as a new section definition.

After doing this
go get gopkg.in/jcmturner/gokrb5.v1

When I try to import the module.

I keep getting
Can't load package: ... no buildable Go source files.

Add implementation for GSSAPI Wrap Tokens:
https://tools.ietf.org/html/rfc4121#section-4.2.6.2

Setup

cfg, _ := config.NewConfigFromString("...")
cc, _ := credentials.LoadCCache("/tmp/krb5cc_1000")
k5cli, _ := client.NewClientFromCCache(cc)
k5cli.WithConfig(cfg)

req, _ := http.NewRequest("GET", "https://example.com/endpoint", nil)
k5cli.SetSPNEGOHeader(req, "HTTP/example.com")

KDC, kinit, and gokrb5 are all choosing aes256-cts-hmac-sha1-96 encryption (etype 18).

Tested against v2.1.2 and v4.1.1. Go version is go1.10 linux/amd64.

Expected behavior

Uses existing cached ticket for "HTTP/example.com" if one exists in ccache.

Uses TGT to obtain "HTTP/example.com" ticket if no existing ticket in ccache.

Actual behavior

Works fine if ccache contains TGT and nothing else.

Fails with following error when trying to use cached ticket:

[Root cause: Encoding_Error] Encoding_Error: cound not generate SPNEGO negotiation token: Could not create NegTokenInit: error getting MechToken; [Root cause: Encrypting_Error] KRBMessage_Handling_Error: Error creating Authenticator for AP_REQ < Encrypting_Error: Error encrypting Authenticator: Error encrypting data: Incorrect keysize: expected: 32 actual: 0

Proximate cause is that encryptAuthenticator in messages/APReq.go has usage values defined for nametype.KRB_NT_PRINCIPAL and for nametype.KRB_NT_SRV_INST, but not for nametype.KRB_NT_SRV_HST. This causes usage to equal 0, which causes EncryptMessage in crypto/rfc3962/encryption.go to use a nil derived key.

Unfortunately, I do not understand enough about the Kerberos protocol to propose an actual fix.

More details

Running klist -ef shows (with redactions):

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]

Valid starting       Expires              Service principal
03/07/2018 11:37:54  03/07/2018 21:37:54  krbtgt/[email protected]
        renew until 03/08/2018 11:37:47, Flags: FPRIA
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
03/07/2018 11:38:44  03/07/2018 21:37:54  krbtgt/[email protected]
        renew until 03/08/2018 11:37:47, Flags: FPRAO
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 
03/07/2018 11:38:44  03/07/2018 21:37:54  HTTP/[email protected]
        renew until 03/08/2018 11:37:47, Flags: FPRAT
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 

CORP.REALM is a Windows AD DC, PROD.REALM is an MIT KDC (krb5-kdc on Ubuntu).

First of all, thanks for the effort to create this library!

Unfortunately, it looks like krb5.conf files with tabs as indentation are not parsed correctly. This leads to "no user-defined or default realm is specified" later on. I am not sure how correct it is to use tabs in krb5.conf, but I saw this in a Cloudera installation.

I tested gokrb5 2.1.2 and 1.1.0.

Consider a sample krb5.conf below (note tabs and absence of an empty line at the end).

[logging]
	kdc = FILE:/var/log/krb5/krb5kdc.log
	admin_server = FILE:/var/log/krb5/kadmin.log
	default = SYSLOG:INFO:DAEMON

[libdefaults]
	default_realm = ANSIBLE


# The following krb5.conf variables are only for MIT Kerberos.
	krb4_config = /etc/krb.conf
	krb4_realms = /etc/krb.realms
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#	default_tgs_enctypes = des3-hmac-sha1
#	default_tkt_enctypes = des3-hmac-sha1
#	permitted_enctypes = des3-hmac-sha1

[realms]
	ANSIBLE = {
		kdc = fake_kdc.invalid.com
		admin_server = fake_as.invalid.com
		default_domain = invalid.com
	}

[domain_realm]
	.invalid.com = ANSIBLE
	invalid.com = ANSIBLE

[login]
	krb4_convert = true
	krb4_get_tickets = false

Hi,

I'm receiving following error when trying to obtain TGT with client.Login() in ActiveDirectory environment:

[Root cause: KRBMessage_Handling_Error] KRBMessage_Handling_Error: AS Exchange Error: AS_REP is not valid < KRBMessage_Handling_Error: KDC did not respond appropriately to FAST negotiation

Commenting out those line in KDCRep.go helps, but, of course, it is not a solution:

if len(k.DecryptedEncPart.EncPAData) < 2 || !k.DecryptedEncPart.EncPAData.Contains(patype.PA_FX_FAST) {
	return false, krberror.NewErrorf(krberror.KRBMsgError, "KDC did not respond appropriately to FAST negotiation")
}

Debugger shows that k.DecryptedEncPart.EncPAData has 1 element with PADataType = 149.

Thanks.

$ dep status
PROJECT CONSTRAINT VERSION REVISION LATEST PKGS USED
gopkg.in/jcmturner/gokrb5.v2 v2.1.1 v2.1.1 fbb9b86 fbb9b86 30

$ go build
vendor/gopkg.in/jcmturner/gokrb5.v2/crypto/common/common.go:157:3: constant 4294967296 overflows int
vendor/gopkg.in/jcmturner/gokrb5.v2/crypto/common/common.go:161:3: constant 4294967296 overflows int
vendor/gopkg.in/jcmturner/gokrb5.v2/crypto/common/common.go:167:3: constant 4294967296 overflows int

Would it make sense to replace your readIntX methods with a library like this: https://github.com/zhuangsirui/binpacker

It seems much easier to maintain and read.

Keep getting SPNEGO Kerberos authentication failed

I have a keytab file which I am able to read thru ktutil. When I do "list" I see all the Principals.

The error message is decrypting encpart of service ticket provided: [KRB Error: (45) KRB_AP_ERR_NOKEY Service key not avaliable - Could not get key from keytab: Matching key not found in keytab. Looking for [HTTP hostname.FDQN] real: REAL.com kvno: 20 etype: 18]

Is there anything else I should be doing?

Hey,

I'm not sure this is a bug or this is an intended behavior, but Credential's userName property becomes a display name when using ADCredentials,

I started to use the CName instead but I find it confusing,

Please close if this is an intended behavior,

Thanks.

Could we get more insight on why the call:
func (cl *Client) IsConfigured() bool
return false?

First off, thank you so much for creating this library! 😄

I have a usecase where I have an existing ticket (the user has performed a kerberos login elsewhere) and the ticket is available in the credentials cache at this location: /tmp/krb5cc_$(id -u $(whoami)).

Do you have an example of using the ticket to authenticate and make requests against a HTTP service using SPNEGO?

Hi,
by default KDC port is 88, we have a config without the port and it is works for all other our services, but not with gokrb5. So I assume it would be good to add the default port if it is not defined in krb5.conf. Here is following error:

 [Root cause: Networking_Error] Networking_Error: AS Exchange Error: failed sending AS_REQ to KDC: [[] Failed to communicate with KDC kdc.example.com. Attempts made with UDP (Error resolving KDC address: address kdc.example.com: missing port in address) and then TCP (Error resolving KDC address: address kdc.example.com: missing port in address)]

Thanks.

Hey,

First i'd like to say thanks for this great library (finally no conflicts between million of versions of native krb libraries!)

Is there any reason why error is not propagated in this line? making it impossible to be aware of IO problems during file read

Thanks

Installation instructions of this package do not work for me:

$ go get gopkg.in/jcmturner/gokrb5.v3
package gopkg.in/jcmturner/gokrb5.v3: no Go files in $GOPATH/src/gopkg.in/jcmturner/gokrb5.v3

Tested in two environments:

# CentOS 7
$ go version
go version go1.9.2 linux/amd64

# macOS 10.11
$ go version
go version go1.9.2 darwin/amd64

Am I missing something?

Solution to change a password via kadmind and against Active Directory