openstack keystone and kerberos












0














I have integrated the openstack and kerberos using the link provided here : https://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/



It is successfully installed and I am able to perform kinit authentication successfully,



kinit {userId}


But when I try to perform 'openstack token issue' / any command using openstack



I get 401 unauthorized exception like below,



Auth plugin v3kerberos selected
auth_config_hook(): {'auth_type': 'v3kerberos', 'beta_command': False, u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', 'metrics_api_version': '1', u'metering_api_version': u'2', 'auth_url': 'http://openstack.companyipasub.com:5000/krb/v3/', 'additional_user_agent': [('osc-lib', '1.11.1')], u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': , u'image_api_version': u'2', u'clustering_api_version': u'1', 'verify': True, 'timing': False, u'dns_api_version': '2', u'object_store_api_version': u'1', u'status': u'active', u'container_infra_api_version': '1', 'verbose_level': 3, 'region_name': '', 'api_timeout': None, u'baremetal_api_version': u'1', 'auth': {}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': '1', u'interface': None, u'application_catalog_api_version': u'1', 'cacert': None, u'key_manager_api_version': '1', u'workflow_api_version': u'2', u'baremetal_status_code_retries': '5', u'identity_api_version': '3', u'volume_api_version': u'2', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'alarming_api_version': '2', u'container_api_version': u'1', u'block_storage_api_version': u'2', u'disable_vendor_agent': {}}
Using auth plugin: v3kerberos
Using parameters {'auth_url': 'http://openstack.companyipasub.com:5000/krb/v3/'}
Get auth_ref
Making authentication request to http://openstack.companyipasub.com:5000/krb/v3/auth/tokens
Starting new HTTP connection (1): openstack.companyipasub.com
http://openstack.companyipasub.com:5000 "POST /krb/v3/auth/tokens HTTP/1.1" 401 381
handle_401(): Handling: 401
!!!!!!!!!!!!!!!!!!!!!!!!!!NEGOTATION###################################

%%%%%%%%%%%%%%%%%RESPONSE HEADER%%%%%%%%%
openstack.companyipasub.com
HTTP
10
#####################BEFORE NEGOTATION################
1
openstack.companyipasub.com
<PyCObject object at 0x7feeb1f2aeb8>
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>

!!!!!!!!!!!!!!!!!!!!!!!!!!NEGOTATION###################################

authenticate_user(): Authorization header: Negotiate YIIEsQYJKoZIhvcSAQICAQBuggSgMIIEnKADAgEFoQMCAQ6iBwMFACAAAACjggOuYYIDqjCCA6agAwIBBaEQGw5NU1lTSVBBUUNTLkNPTaIrMCmgAwIBA6EiMCAbBEhUVFAbGG9wZW5zdGFjay5tc3lzaXBhcWNzLmNvbaOCA14wggNaoAMCARKhAwIBAaKCA0wEggNIEYkxuhR67BYR0AiQZNcdkcjw9n9Whu15PAx7sQeAlMl0RTKqHJlMhL/djZTPJoaIJ6AWUiLovambzqA9SUngU5wEuYlwlB+h8nvxVWuqziEsukaWBWErToIKnA6R2bds4aoUCtfEElJP+kAFgyf+biqCNIzWJpKrYlMgX9gZqqAkL+uzdWMyClEAABODajw5hg8BmTLOJ5xY/BsYh2eKFn3S9y150OV1RKf5Vct2WpVQNbz/1h7Uu4iNngfTx3rvYQWg1AarkL76HACXiqu07dlmZilgf29umyy9GtNYsrJYNO0Fl1cejzOsGotxFh1Wufg5RJ3NMgHaQ477elmixsDnLC1eUtGmP4tmdpMFFoFjMi9pusdWBnsRBWK5VpJgJsSZIMNcxMMLT4CAEM5/nTo7I8ZDtrO828IhFeity4gYZeFcMZpcO9pGKL70ruWaVh8QTV9E/7DakcTAJ6eMYmTzU7mSnT8rZbA9CVRpKwU2mF3osZfWIPdmRSjM9qR540Xkj39CUaZSf2xRIyFfLPQuyQ/tKIeQH6lrO2hKIUXqmnUw5OzJBaE+JfTuAuIcnGhfA9VESN3Ymmx71SSvRLpYwHZXEWRHo2G32iyGW6pL3pf32N72oL5odlz2a8FOzSwV4vhnOHjeB0wVymmLht5BIMy5xV+UjYNomolMXLS1vrd20aI5vXpoQZNTd5ANx+7PjkXuZSxkadxFcEJQzCTwKRs0DhF6qnsVBL5t9WjiCxkUqFNQ867ZWefDW9ZkrMbTdgJ09O94an1VTNETkUFs8feQcevYXJN87dM6tp6wMFQB51zoCaF5DlHzNtwUMtv0kD0NTILULQ9jy7N2797a16FR8eueaS0YW9troP263zGjsXGP6hu1pljDCS4SLXfA5M4fLNjheOMkqrFNyHty83jEuZaNKnjKip9KVfV02YoA/r8T7ybTXSQYEohLfwIrMqL4QgjRqlb1w9R5eaHjJZ+3N2bMqdM6i5XrD4FYOw71paIQ1KDaYWVhDYzDgporDKZdKeTjGnKZjXqOMu2NMbxQCqgRl2ffRUQqYHVlr0K+H+vLyTM1hMQYQNgTOKJzmc2X4blSH0NNmXkH4SD8WwyKrRR/pIHUMIHRoAMCARKigckEgcZ1btIWWLebFDMojIrDaSja+mlF5zhAAISr8Xs8ngjbHtv3cp/L8o2LzovHGsHLlyEOFYOk8yA7fIbJ0bdqeEZ0AGn5Y9vpUhTBAOIRt7n5Ksx4MKNCjOxeoa2m2UfUNtbMgcPgN8VNZ9Z/nYvUZW9Vyd4KbPKz7+3yrKArkjz7Q47XTRyZt49eWlThhryZT2c941m6RlP0NlMYE1iA8HZfU+hpE9ZrM4QB9rjaF3YCzNriWCW8mgpyHQC/OyPgBo6Krqe3HWc=
http://openstack.companyipasub.com:5000 "POST /krb/v3/auth/tokens HTTP/1.1" 401 114
authenticate_user(): returning <Response [401]>
handle_401(): returning <Response [401]>
handle_response(): returning <Response [401]>
handle_response() has seen 0 401 responses
handle_401(): Handling: 401
!!!!!!!!!!!!!!!!!!!!!!!!!!NEGOTATION###################################
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv/cBxSains0m+hfCjXhwcg/eStoasDfYiwF56vheZT9t7EVelUjfaXEtcel9E7YShc7WtbIW73NnsSM/7h8yKsqWEGwDnnSe063SnuAMW7xK0i44q3j1UkvPF7E00wF3dPzooeDxZT2Ztqc4kQ5xU
%%%%%%%%%%%%%%%%%RESPONSE HEADER%%%%%%%%%
openstack.companyipasub.com
HTTP
10
#####################BEFORE NEGOTATION################
1
openstack.companyipasub.com
<PyCObject object at 0x7feeb1f2af58>
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
!!!!!!!!!!!!!!!!!!!!!!!!!!NEGOTATION###################################
YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv/cBxSains0m+hfCjXhwcg/eStoasDfYiwF56vheZT9t7EVelUjfaXEtcel9E7YShc7WtbIW73NnsSM/7h8yKsqWEGwDnnSe063SnuAMW7xK0i44q3j1UkvPF7E00wF3dPzooeDxZT2Ztqc4kQ5xU
generate_request_header(): authGSSClientStep() failed:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 136, in generate_request_header
_negotiate_value(response))
GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
(('Invalid token was supplied', 589824), ('Success', 100001))
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 136, in generate_request_header
_negotiate_value(response))
GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
handle_401(): returning <Response [401]>
handle_response(): returning <Response [401]>
handle_response() has seen 1 401 responses
handle_response(): returning 401 <Response [401]>
Request returned failure status: 401
The request you have made requires authentication. (HTTP 401) (Request-ID: req-1f34993d-e869-491d-be4d-fc756f081beb)
clean_up IssueToken: The request you have made requires authentication. (HTTP 401) (Request-ID: req-1f34993d-e869-491d-be4d-fc756f081beb)
END return value: 1









share|improve this question





























    0














    I have integrated the openstack and kerberos using the link provided here : https://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/



    It is successfully installed and I am able to perform kinit authentication successfully,



    kinit {userId}


    But when I try to perform 'openstack token issue' / any command using openstack



    I get 401 unauthorized exception like below,



    Auth plugin v3kerberos selected
    auth_config_hook(): {'auth_type': 'v3kerberos', 'beta_command': False, u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', 'metrics_api_version': '1', u'metering_api_version': u'2', 'auth_url': 'http://openstack.companyipasub.com:5000/krb/v3/', 'additional_user_agent': [('osc-lib', '1.11.1')], u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': , u'image_api_version': u'2', u'clustering_api_version': u'1', 'verify': True, 'timing': False, u'dns_api_version': '2', u'object_store_api_version': u'1', u'status': u'active', u'container_infra_api_version': '1', 'verbose_level': 3, 'region_name': '', 'api_timeout': None, u'baremetal_api_version': u'1', 'auth': {}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': '1', u'interface': None, u'application_catalog_api_version': u'1', 'cacert': None, u'key_manager_api_version': '1', u'workflow_api_version': u'2', u'baremetal_status_code_retries': '5', u'identity_api_version': '3', u'volume_api_version': u'2', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'alarming_api_version': '2', u'container_api_version': u'1', u'block_storage_api_version': u'2', u'disable_vendor_agent': {}}
    Using auth plugin: v3kerberos
    Using parameters {'auth_url': 'http://openstack.companyipasub.com:5000/krb/v3/'}
    Get auth_ref
    Making authentication request to http://openstack.companyipasub.com:5000/krb/v3/auth/tokens
    Starting new HTTP connection (1): openstack.companyipasub.com
    http://openstack.companyipasub.com:5000 "POST /krb/v3/auth/tokens HTTP/1.1" 401 381
    handle_401(): Handling: 401
    !!!!!!!!!!!!!!!!!!!!!!!!!!NEGOTATION###################################

    %%%%%%%%%%%%%%%%%RESPONSE HEADER%%%%%%%%%
    openstack.companyipasub.com
    HTTP
    10
    #####################BEFORE NEGOTATION################
    1
    openstack.companyipasub.com
    <PyCObject object at 0x7feeb1f2aeb8>
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>401 Unauthorized</title>
    </head><body>
    <h1>Unauthorized</h1>
    <p>This server could not verify that you
    are authorized to access the document
    requested. Either you supplied the wrong
    credentials (e.g., bad password), or your
    browser doesn't understand how to supply
    the credentials required.</p>
    </body></html>

    !!!!!!!!!!!!!!!!!!!!!!!!!!NEGOTATION###################################

    authenticate_user(): Authorization header: Negotiate YIIEsQYJKoZIhvcSAQICAQBuggSgMIIEnKADAgEFoQMCAQ6iBwMFACAAAACjggOuYYIDqjCCA6agAwIBBaEQGw5NU1lTSVBBUUNTLkNPTaIrMCmgAwIBA6EiMCAbBEhUVFAbGG9wZW5zdGFjay5tc3lzaXBhcWNzLmNvbaOCA14wggNaoAMCARKhAwIBAaKCA0wEggNIEYkxuhR67BYR0AiQZNcdkcjw9n9Whu15PAx7sQeAlMl0RTKqHJlMhL/djZTPJoaIJ6AWUiLovambzqA9SUngU5wEuYlwlB+h8nvxVWuqziEsukaWBWErToIKnA6R2bds4aoUCtfEElJP+kAFgyf+biqCNIzWJpKrYlMgX9gZqqAkL+uzdWMyClEAABODajw5hg8BmTLOJ5xY/BsYh2eKFn3S9y150OV1RKf5Vct2WpVQNbz/1h7Uu4iNngfTx3rvYQWg1AarkL76HACXiqu07dlmZilgf29umyy9GtNYsrJYNO0Fl1cejzOsGotxFh1Wufg5RJ3NMgHaQ477elmixsDnLC1eUtGmP4tmdpMFFoFjMi9pusdWBnsRBWK5VpJgJsSZIMNcxMMLT4CAEM5/nTo7I8ZDtrO828IhFeity4gYZeFcMZpcO9pGKL70ruWaVh8QTV9E/7DakcTAJ6eMYmTzU7mSnT8rZbA9CVRpKwU2mF3osZfWIPdmRSjM9qR540Xkj39CUaZSf2xRIyFfLPQuyQ/tKIeQH6lrO2hKIUXqmnUw5OzJBaE+JfTuAuIcnGhfA9VESN3Ymmx71SSvRLpYwHZXEWRHo2G32iyGW6pL3pf32N72oL5odlz2a8FOzSwV4vhnOHjeB0wVymmLht5BIMy5xV+UjYNomolMXLS1vrd20aI5vXpoQZNTd5ANx+7PjkXuZSxkadxFcEJQzCTwKRs0DhF6qnsVBL5t9WjiCxkUqFNQ867ZWefDW9ZkrMbTdgJ09O94an1VTNETkUFs8feQcevYXJN87dM6tp6wMFQB51zoCaF5DlHzNtwUMtv0kD0NTILULQ9jy7N2797a16FR8eueaS0YW9troP263zGjsXGP6hu1pljDCS4SLXfA5M4fLNjheOMkqrFNyHty83jEuZaNKnjKip9KVfV02YoA/r8T7ybTXSQYEohLfwIrMqL4QgjRqlb1w9R5eaHjJZ+3N2bMqdM6i5XrD4FYOw71paIQ1KDaYWVhDYzDgporDKZdKeTjGnKZjXqOMu2NMbxQCqgRl2ffRUQqYHVlr0K+H+vLyTM1hMQYQNgTOKJzmc2X4blSH0NNmXkH4SD8WwyKrRR/pIHUMIHRoAMCARKigckEgcZ1btIWWLebFDMojIrDaSja+mlF5zhAAISr8Xs8ngjbHtv3cp/L8o2LzovHGsHLlyEOFYOk8yA7fIbJ0bdqeEZ0AGn5Y9vpUhTBAOIRt7n5Ksx4MKNCjOxeoa2m2UfUNtbMgcPgN8VNZ9Z/nYvUZW9Vyd4KbPKz7+3yrKArkjz7Q47XTRyZt49eWlThhryZT2c941m6RlP0NlMYE1iA8HZfU+hpE9ZrM4QB9rjaF3YCzNriWCW8mgpyHQC/OyPgBo6Krqe3HWc=
    http://openstack.companyipasub.com:5000 "POST /krb/v3/auth/tokens HTTP/1.1" 401 114
    authenticate_user(): returning <Response [401]>
    handle_401(): returning <Response [401]>
    handle_response(): returning <Response [401]>
    handle_response() has seen 0 401 responses
    handle_401(): Handling: 401
    !!!!!!!!!!!!!!!!!!!!!!!!!!NEGOTATION###################################
    YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv/cBxSains0m+hfCjXhwcg/eStoasDfYiwF56vheZT9t7EVelUjfaXEtcel9E7YShc7WtbIW73NnsSM/7h8yKsqWEGwDnnSe063SnuAMW7xK0i44q3j1UkvPF7E00wF3dPzooeDxZT2Ztqc4kQ5xU
    %%%%%%%%%%%%%%%%%RESPONSE HEADER%%%%%%%%%
    openstack.companyipasub.com
    HTTP
    10
    #####################BEFORE NEGOTATION################
    1
    openstack.companyipasub.com
    <PyCObject object at 0x7feeb1f2af58>
    {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
    !!!!!!!!!!!!!!!!!!!!!!!!!!NEGOTATION###################################
    YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv/cBxSains0m+hfCjXhwcg/eStoasDfYiwF56vheZT9t7EVelUjfaXEtcel9E7YShc7WtbIW73NnsSM/7h8yKsqWEGwDnnSe063SnuAMW7xK0i44q3j1UkvPF7E00wF3dPzooeDxZT2Ztqc4kQ5xU
    generate_request_header(): authGSSClientStep() failed:
    Traceback (most recent call last):
    File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 136, in generate_request_header
    _negotiate_value(response))
    GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
    (('Invalid token was supplied', 589824), ('Success', 100001))
    Traceback (most recent call last):
    File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 136, in generate_request_header
    _negotiate_value(response))
    GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
    handle_401(): returning <Response [401]>
    handle_response(): returning <Response [401]>
    handle_response() has seen 1 401 responses
    handle_response(): returning 401 <Response [401]>
    Request returned failure status: 401
    The request you have made requires authentication. (HTTP 401) (Request-ID: req-1f34993d-e869-491d-be4d-fc756f081beb)
    clean_up IssueToken: The request you have made requires authentication. (HTTP 401) (Request-ID: req-1f34993d-e869-491d-be4d-fc756f081beb)
    END return value: 1









    share|improve this question



























      0












      0








      0







      I have integrated the openstack and kerberos using the link provided here : https://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/



      It is successfully installed and I am able to perform kinit authentication successfully,



      kinit {userId}


      But when I try to perform 'openstack token issue' / any command using openstack



      I get 401 unauthorized exception like below,



      Auth plugin v3kerberos selected
      auth_config_hook(): {'auth_type': 'v3kerberos', 'beta_command': False, u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', 'metrics_api_version': '1', u'metering_api_version': u'2', 'auth_url': 'http://openstack.companyipasub.com:5000/krb/v3/', 'additional_user_agent': [('osc-lib', '1.11.1')], u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': , u'image_api_version': u'2', u'clustering_api_version': u'1', 'verify': True, 'timing': False, u'dns_api_version': '2', u'object_store_api_version': u'1', u'status': u'active', u'container_infra_api_version': '1', 'verbose_level': 3, 'region_name': '', 'api_timeout': None, u'baremetal_api_version': u'1', 'auth': {}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': '1', u'interface': None, u'application_catalog_api_version': u'1', 'cacert': None, u'key_manager_api_version': '1', u'workflow_api_version': u'2', u'baremetal_status_code_retries': '5', u'identity_api_version': '3', u'volume_api_version': u'2', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'alarming_api_version': '2', u'container_api_version': u'1', u'block_storage_api_version': u'2', u'disable_vendor_agent': {}}
      Using auth plugin: v3kerberos
      Using parameters {'auth_url': 'http://openstack.companyipasub.com:5000/krb/v3/'}
      Get auth_ref
      Making authentication request to http://openstack.companyipasub.com:5000/krb/v3/auth/tokens
      Starting new HTTP connection (1): openstack.companyipasub.com
      http://openstack.companyipasub.com:5000 "POST /krb/v3/auth/tokens HTTP/1.1" 401 381
      handle_401(): Handling: 401
      !!!!!!!!!!!!!!!!!!!!!!!!!!NEGOTATION###################################

      %%%%%%%%%%%%%%%%%RESPONSE HEADER%%%%%%%%%
      openstack.companyipasub.com
      HTTP
      10
      #####################BEFORE NEGOTATION################
      1
      openstack.companyipasub.com
      <PyCObject object at 0x7feeb1f2aeb8>
      <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
      <html><head>
      <title>401 Unauthorized</title>
      </head><body>
      <h1>Unauthorized</h1>
      <p>This server could not verify that you
      are authorized to access the document
      requested. Either you supplied the wrong
      credentials (e.g., bad password), or your
      browser doesn't understand how to supply
      the credentials required.</p>
      </body></html>

      !!!!!!!!!!!!!!!!!!!!!!!!!!NEGOTATION###################################

      authenticate_user(): Authorization header: Negotiate YIIEsQYJKoZIhvcSAQICAQBuggSgMIIEnKADAgEFoQMCAQ6iBwMFACAAAACjggOuYYIDqjCCA6agAwIBBaEQGw5NU1lTSVBBUUNTLkNPTaIrMCmgAwIBA6EiMCAbBEhUVFAbGG9wZW5zdGFjay5tc3lzaXBhcWNzLmNvbaOCA14wggNaoAMCARKhAwIBAaKCA0wEggNIEYkxuhR67BYR0AiQZNcdkcjw9n9Whu15PAx7sQeAlMl0RTKqHJlMhL/djZTPJoaIJ6AWUiLovambzqA9SUngU5wEuYlwlB+h8nvxVWuqziEsukaWBWErToIKnA6R2bds4aoUCtfEElJP+kAFgyf+biqCNIzWJpKrYlMgX9gZqqAkL+uzdWMyClEAABODajw5hg8BmTLOJ5xY/BsYh2eKFn3S9y150OV1RKf5Vct2WpVQNbz/1h7Uu4iNngfTx3rvYQWg1AarkL76HACXiqu07dlmZilgf29umyy9GtNYsrJYNO0Fl1cejzOsGotxFh1Wufg5RJ3NMgHaQ477elmixsDnLC1eUtGmP4tmdpMFFoFjMi9pusdWBnsRBWK5VpJgJsSZIMNcxMMLT4CAEM5/nTo7I8ZDtrO828IhFeity4gYZeFcMZpcO9pGKL70ruWaVh8QTV9E/7DakcTAJ6eMYmTzU7mSnT8rZbA9CVRpKwU2mF3osZfWIPdmRSjM9qR540Xkj39CUaZSf2xRIyFfLPQuyQ/tKIeQH6lrO2hKIUXqmnUw5OzJBaE+JfTuAuIcnGhfA9VESN3Ymmx71SSvRLpYwHZXEWRHo2G32iyGW6pL3pf32N72oL5odlz2a8FOzSwV4vhnOHjeB0wVymmLht5BIMy5xV+UjYNomolMXLS1vrd20aI5vXpoQZNTd5ANx+7PjkXuZSxkadxFcEJQzCTwKRs0DhF6qnsVBL5t9WjiCxkUqFNQ867ZWefDW9ZkrMbTdgJ09O94an1VTNETkUFs8feQcevYXJN87dM6tp6wMFQB51zoCaF5DlHzNtwUMtv0kD0NTILULQ9jy7N2797a16FR8eueaS0YW9troP263zGjsXGP6hu1pljDCS4SLXfA5M4fLNjheOMkqrFNyHty83jEuZaNKnjKip9KVfV02YoA/r8T7ybTXSQYEohLfwIrMqL4QgjRqlb1w9R5eaHjJZ+3N2bMqdM6i5XrD4FYOw71paIQ1KDaYWVhDYzDgporDKZdKeTjGnKZjXqOMu2NMbxQCqgRl2ffRUQqYHVlr0K+H+vLyTM1hMQYQNgTOKJzmc2X4blSH0NNmXkH4SD8WwyKrRR/pIHUMIHRoAMCARKigckEgcZ1btIWWLebFDMojIrDaSja+mlF5zhAAISr8Xs8ngjbHtv3cp/L8o2LzovHGsHLlyEOFYOk8yA7fIbJ0bdqeEZ0AGn5Y9vpUhTBAOIRt7n5Ksx4MKNCjOxeoa2m2UfUNtbMgcPgN8VNZ9Z/nYvUZW9Vyd4KbPKz7+3yrKArkjz7Q47XTRyZt49eWlThhryZT2c941m6RlP0NlMYE1iA8HZfU+hpE9ZrM4QB9rjaF3YCzNriWCW8mgpyHQC/OyPgBo6Krqe3HWc=
      http://openstack.companyipasub.com:5000 "POST /krb/v3/auth/tokens HTTP/1.1" 401 114
      authenticate_user(): returning <Response [401]>
      handle_401(): returning <Response [401]>
      handle_response(): returning <Response [401]>
      handle_response() has seen 0 401 responses
      handle_401(): Handling: 401
      !!!!!!!!!!!!!!!!!!!!!!!!!!NEGOTATION###################################
      YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv/cBxSains0m+hfCjXhwcg/eStoasDfYiwF56vheZT9t7EVelUjfaXEtcel9E7YShc7WtbIW73NnsSM/7h8yKsqWEGwDnnSe063SnuAMW7xK0i44q3j1UkvPF7E00wF3dPzooeDxZT2Ztqc4kQ5xU
      %%%%%%%%%%%%%%%%%RESPONSE HEADER%%%%%%%%%
      openstack.companyipasub.com
      HTTP
      10
      #####################BEFORE NEGOTATION################
      1
      openstack.companyipasub.com
      <PyCObject object at 0x7feeb1f2af58>
      {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
      !!!!!!!!!!!!!!!!!!!!!!!!!!NEGOTATION###################################
      YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv/cBxSains0m+hfCjXhwcg/eStoasDfYiwF56vheZT9t7EVelUjfaXEtcel9E7YShc7WtbIW73NnsSM/7h8yKsqWEGwDnnSe063SnuAMW7xK0i44q3j1UkvPF7E00wF3dPzooeDxZT2Ztqc4kQ5xU
      generate_request_header(): authGSSClientStep() failed:
      Traceback (most recent call last):
      File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 136, in generate_request_header
      _negotiate_value(response))
      GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
      (('Invalid token was supplied', 589824), ('Success', 100001))
      Traceback (most recent call last):
      File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 136, in generate_request_header
      _negotiate_value(response))
      GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
      handle_401(): returning <Response [401]>
      handle_response(): returning <Response [401]>
      handle_response() has seen 1 401 responses
      handle_response(): returning 401 <Response [401]>
      Request returned failure status: 401
      The request you have made requires authentication. (HTTP 401) (Request-ID: req-1f34993d-e869-491d-be4d-fc756f081beb)
      clean_up IssueToken: The request you have made requires authentication. (HTTP 401) (Request-ID: req-1f34993d-e869-491d-be4d-fc756f081beb)
      END return value: 1









      share|improve this question















      I have integrated the openstack and kerberos using the link provided here : https://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/



      It is successfully installed and I am able to perform kinit authentication successfully,



      kinit {userId}


      But when I try to perform 'openstack token issue' / any command using openstack



      I get 401 unauthorized exception like below,



      Auth plugin v3kerberos selected
      auth_config_hook(): {'auth_type': 'v3kerberos', 'beta_command': False, u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', 'metrics_api_version': '1', u'metering_api_version': u'2', 'auth_url': 'http://openstack.companyipasub.com:5000/krb/v3/', 'additional_user_agent': [('osc-lib', '1.11.1')], u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': , u'image_api_version': u'2', u'clustering_api_version': u'1', 'verify': True, 'timing': False, u'dns_api_version': '2', u'object_store_api_version': u'1', u'status': u'active', u'container_infra_api_version': '1', 'verbose_level': 3, 'region_name': '', 'api_timeout': None, u'baremetal_api_version': u'1', 'auth': {}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': '1', u'interface': None, u'application_catalog_api_version': u'1', 'cacert': None, u'key_manager_api_version': '1', u'workflow_api_version': u'2', u'baremetal_status_code_retries': '5', u'identity_api_version': '3', u'volume_api_version': u'2', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'alarming_api_version': '2', u'container_api_version': u'1', u'block_storage_api_version': u'2', u'disable_vendor_agent': {}}
      Using auth plugin: v3kerberos
      Using parameters {'auth_url': 'http://openstack.companyipasub.com:5000/krb/v3/'}
      Get auth_ref
      Making authentication request to http://openstack.companyipasub.com:5000/krb/v3/auth/tokens
      Starting new HTTP connection (1): openstack.companyipasub.com
      http://openstack.companyipasub.com:5000 "POST /krb/v3/auth/tokens HTTP/1.1" 401 381
      handle_401(): Handling: 401
      !!!!!!!!!!!!!!!!!!!!!!!!!!NEGOTATION###################################

      %%%%%%%%%%%%%%%%%RESPONSE HEADER%%%%%%%%%
      openstack.companyipasub.com
      HTTP
      10
      #####################BEFORE NEGOTATION################
      1
      openstack.companyipasub.com
      <PyCObject object at 0x7feeb1f2aeb8>
      <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
      <html><head>
      <title>401 Unauthorized</title>
      </head><body>
      <h1>Unauthorized</h1>
      <p>This server could not verify that you
      are authorized to access the document
      requested. Either you supplied the wrong
      credentials (e.g., bad password), or your
      browser doesn't understand how to supply
      the credentials required.</p>
      </body></html>

      !!!!!!!!!!!!!!!!!!!!!!!!!!NEGOTATION###################################

      authenticate_user(): Authorization header: Negotiate YIIEsQYJKoZIhvcSAQICAQBuggSgMIIEnKADAgEFoQMCAQ6iBwMFACAAAACjggOuYYIDqjCCA6agAwIBBaEQGw5NU1lTSVBBUUNTLkNPTaIrMCmgAwIBA6EiMCAbBEhUVFAbGG9wZW5zdGFjay5tc3lzaXBhcWNzLmNvbaOCA14wggNaoAMCARKhAwIBAaKCA0wEggNIEYkxuhR67BYR0AiQZNcdkcjw9n9Whu15PAx7sQeAlMl0RTKqHJlMhL/djZTPJoaIJ6AWUiLovambzqA9SUngU5wEuYlwlB+h8nvxVWuqziEsukaWBWErToIKnA6R2bds4aoUCtfEElJP+kAFgyf+biqCNIzWJpKrYlMgX9gZqqAkL+uzdWMyClEAABODajw5hg8BmTLOJ5xY/BsYh2eKFn3S9y150OV1RKf5Vct2WpVQNbz/1h7Uu4iNngfTx3rvYQWg1AarkL76HACXiqu07dlmZilgf29umyy9GtNYsrJYNO0Fl1cejzOsGotxFh1Wufg5RJ3NMgHaQ477elmixsDnLC1eUtGmP4tmdpMFFoFjMi9pusdWBnsRBWK5VpJgJsSZIMNcxMMLT4CAEM5/nTo7I8ZDtrO828IhFeity4gYZeFcMZpcO9pGKL70ruWaVh8QTV9E/7DakcTAJ6eMYmTzU7mSnT8rZbA9CVRpKwU2mF3osZfWIPdmRSjM9qR540Xkj39CUaZSf2xRIyFfLPQuyQ/tKIeQH6lrO2hKIUXqmnUw5OzJBaE+JfTuAuIcnGhfA9VESN3Ymmx71SSvRLpYwHZXEWRHo2G32iyGW6pL3pf32N72oL5odlz2a8FOzSwV4vhnOHjeB0wVymmLht5BIMy5xV+UjYNomolMXLS1vrd20aI5vXpoQZNTd5ANx+7PjkXuZSxkadxFcEJQzCTwKRs0DhF6qnsVBL5t9WjiCxkUqFNQ867ZWefDW9ZkrMbTdgJ09O94an1VTNETkUFs8feQcevYXJN87dM6tp6wMFQB51zoCaF5DlHzNtwUMtv0kD0NTILULQ9jy7N2797a16FR8eueaS0YW9troP263zGjsXGP6hu1pljDCS4SLXfA5M4fLNjheOMkqrFNyHty83jEuZaNKnjKip9KVfV02YoA/r8T7ybTXSQYEohLfwIrMqL4QgjRqlb1w9R5eaHjJZ+3N2bMqdM6i5XrD4FYOw71paIQ1KDaYWVhDYzDgporDKZdKeTjGnKZjXqOMu2NMbxQCqgRl2ffRUQqYHVlr0K+H+vLyTM1hMQYQNgTOKJzmc2X4blSH0NNmXkH4SD8WwyKrRR/pIHUMIHRoAMCARKigckEgcZ1btIWWLebFDMojIrDaSja+mlF5zhAAISr8Xs8ngjbHtv3cp/L8o2LzovHGsHLlyEOFYOk8yA7fIbJ0bdqeEZ0AGn5Y9vpUhTBAOIRt7n5Ksx4MKNCjOxeoa2m2UfUNtbMgcPgN8VNZ9Z/nYvUZW9Vyd4KbPKz7+3yrKArkjz7Q47XTRyZt49eWlThhryZT2c941m6RlP0NlMYE1iA8HZfU+hpE9ZrM4QB9rjaF3YCzNriWCW8mgpyHQC/OyPgBo6Krqe3HWc=
      http://openstack.companyipasub.com:5000 "POST /krb/v3/auth/tokens HTTP/1.1" 401 114
      authenticate_user(): returning <Response [401]>
      handle_401(): returning <Response [401]>
      handle_response(): returning <Response [401]>
      handle_response() has seen 0 401 responses
      handle_401(): Handling: 401
      !!!!!!!!!!!!!!!!!!!!!!!!!!NEGOTATION###################################
      YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv/cBxSains0m+hfCjXhwcg/eStoasDfYiwF56vheZT9t7EVelUjfaXEtcel9E7YShc7WtbIW73NnsSM/7h8yKsqWEGwDnnSe063SnuAMW7xK0i44q3j1UkvPF7E00wF3dPzooeDxZT2Ztqc4kQ5xU
      %%%%%%%%%%%%%%%%%RESPONSE HEADER%%%%%%%%%
      openstack.companyipasub.com
      HTTP
      10
      #####################BEFORE NEGOTATION################
      1
      openstack.companyipasub.com
      <PyCObject object at 0x7feeb1f2af58>
      {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
      !!!!!!!!!!!!!!!!!!!!!!!!!!NEGOTATION###################################
      YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv/cBxSains0m+hfCjXhwcg/eStoasDfYiwF56vheZT9t7EVelUjfaXEtcel9E7YShc7WtbIW73NnsSM/7h8yKsqWEGwDnnSe063SnuAMW7xK0i44q3j1UkvPF7E00wF3dPzooeDxZT2Ztqc4kQ5xU
      generate_request_header(): authGSSClientStep() failed:
      Traceback (most recent call last):
      File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 136, in generate_request_header
      _negotiate_value(response))
      GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
      (('Invalid token was supplied', 589824), ('Success', 100001))
      Traceback (most recent call last):
      File "/usr/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 136, in generate_request_header
      _negotiate_value(response))
      GSSError: (('Invalid token was supplied', 589824), ('Success', 100001))
      handle_401(): returning <Response [401]>
      handle_response(): returning <Response [401]>
      handle_response() has seen 1 401 responses
      handle_response(): returning 401 <Response [401]>
      Request returned failure status: 401
      The request you have made requires authentication. (HTTP 401) (Request-ID: req-1f34993d-e869-491d-be4d-fc756f081beb)
      clean_up IssueToken: The request you have made requires authentication. (HTTP 401) (Request-ID: req-1f34993d-e869-491d-be4d-fc756f081beb)
      END return value: 1






      centos kerberos openstack






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 23 mins ago

























      asked 3 hours ago









      Harry

      1176




      1176



























          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "106"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f491270%2fopenstack-keystone-and-kerberos%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f491270%2fopenstack-keystone-and-kerberos%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Accessing regular linux commands in Huawei's Dopra Linux

          Can't connect RFCOMM socket: Host is down

          Kernel panic - not syncing: Fatal Exception in Interrupt