What I do first:
>kinit
Default principal: [email protected]
Valid starting Expires Service principal
18.06.2020 18:27:11 19.06.2020 18:26:26 postgres/[email protected]
18.06.2020 18:27:11 19.06.2020 18:26:26 postgres/c1s.com.com@
18.06.2020 18:26:30 19.06.2020 18:26:26 krbtgt/[email protected]
Ok. principal for "postgres/[email protected]" is exist.
And second:
import gssapi
p_name = 'postgres/[email protected]'
name = gssapi.Name(p_name) #the principal for this service
creds = gssapi.Credentials(name=name, usage='initiate')
And I get this error:
Traceback (most recent call last):
File "gt1.py", line 8, in <module>
creds = gssapi.Credentials(name=name, usage='initiate')
File "/usr/lib/python2.7/dist-packages/gssapi/creds.py", line 64, in __new__
store=store)
File "/usr/lib/python2.7/dist-packages/gssapi/creds.py", line 137, in acquire
mechs, usage)
File "gssapi/raw/creds.pyx", line 158, in gssapi.raw.creds.acquire_cred (gssapi/raw/creds.c:2051)
gssapi.raw.misc.GSSError: Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639053): Can't find client principal postgres/[email protected] in cache collection
Why can this happen? Any ideas? Please, I need help...
You are mixing up two different things: client and target principals. Your credentials cache, listed with klist, shows that client principal in that ccache is [email protected] while you are using postgres/[email protected] as your client principal.
You need either:
- initialize the ccache with a key for postgres/c1.com.ru first (using some keytab, most likely)
- use keytab when initializing credentials in your Python application.
For the latter, you need to pass a cred store reference. Something like in this helper code in FreeIPA: https://pagure.io/freeipa/blob/master/f/ipalib/install/kinit.py#_43