I am attempting to request a json response from an intranet site that uses Kerberos authentication.
I make a kinit like so (without a keytab):
kinit [email protected]
After doing so, the following code works and gives me the exact json response that I want:
def __make_request(self):
curl = pycurl.Curl()
data = BytesIO()
curl.setopt(pycurl.HTTPAUTH, pycurl.HTTPAUTH_GSSNEGOTIATE)
curl.setopt(pycurl.USERPWD, self.pwd)
curl.setopt(pycurl.WRITEFUNCTION, data.write)
curl.setopt(pycurl.URL, self.url)
curl.perform()
curl.close()
return json.loads(data.getvalue())
This of course seems too easy. I decided to try it with the gssapi:
server_name = gssapi.Name('HTTP/service_principal_here@OTHER_REALM.COM') <-listed on TGT
canon_name = server_name.canonicalize(gssapi.MechType.kerberos)
ctx = gssapi.SecurityContext(name=canon_name, usage='initiate')
token = ctx.step()
token64 = base64.b64encode(token)
(token64 will print a long encoded token)
h = {"www-authenticate": "Negotiate " + token64}
r = requests.get("same url used with pycurl above", headers = h)
This results in a 403 (not a 401)
Any ideas on what is wrong with my request?
Ok I figured it out. I was sending the token in the header incorrectly. The header should actually look like this:
headers = {"Authorization": "Negotiate " + bt64}
I am unsure why anyone would use gssapi and requests over pycurl... especially where the documentation for gssapi is not that great.