It just calls the C api so you can specify the env varKRB5CCNAME usingos.environ and it will work in the same way. What API are you trying to call, what are you trying to achieve with a custom ccache?

Hi Jordan,

I am calling two API. One isgssapi.raw.acquire_cred_with_password and the other isgssapi.SecurityContext. I'm thinking that the first API is the one generating the ticket. I can easily supply the KRBCCNAME env variable (I do that for other apps using the KRB5 library). I am doing this in Docker because the I believe it is expecting to look for the ticket cache in a "temp/" folder. So I need to tell to use a specific one since. If I run this within Pycharm I don't need to do anything, but when I put it in a container, it can't find the ticket. I have a separate python file called kerberos.py (below). You can see the commented out lines where I was trying to use thegssapi.raw.ext_cred_store.store_cred_into API, obviously I don't know what I'm doing! This was from an example I found online, I think it might be yours?

import gssapidef kinit(username=None, password=None, realm=None, exe=None, keytab=None, krb5ccname=None, verbose=False):    server_name = gssapi.Name('krbtgt/' + realm)    user = gssapi.Name(base=username, name_type=gssapi.NameType.user)    bpass = password.encode('utf-8')    result = False    try:        creds = gssapi.raw.acquire_cred_with_password(user, bpass, usage='initiate')        creds = creds.creds        # cache_store = {'FILE', '/etc/ccache'}        # gssapi.raw.ext_cred_store.store_cred_into(cache_store)        context = gssapi.SecurityContext(name=server_name, creds=creds, usage='initiate')        result = True    except AttributeError:        print("AttributeError")    except gssapi.exceptions.GSSError as er:        print(er)    # acquire_cred_with_password returns a wrapper, we want the creds    # object inside this wrapper    print(result)

Thegss_store_cred_into can be annoying to use, I've found that the cache needs to exist for it to work unless you specifyoverwrite=True. We even do this in the tests

A few more things to point out

• The cache store key should identify the type of store to use, for Kerberos you wantccache
• acquire_cred_with_password will always get a MEMORY ccache credential
• Unless you need persistence beyond the process you don't need to store it in a file
• Using thecreds kwarg onSecurityContext will have it only use that credential, it won't lookup the ccache ofKRB5CCNAME

So for this to work you need to do

importosimportgssapiusername='...'password='...'user=gssapi.Name(base=username,name_type=gssapi.NameType.user)bpass=password.encode('utf-8')creds=gssapi.raw.acquire_cred_with_password(user,bpass,usage='initiate').credsifkrb5ccname:=os.environ.get('KRB5CCNAME',None):store= {'ccache':f'FILE:{krb5ccname}',    }gssapi.raw.ext_cred_store.store_cred_into(store,creds,overwrite=True)...

I gave this a try today and I am running into this issue:

gssapi.raw.ext_cred_store.store_cred_into(store, creds, overwrite=True)
AttributeError: module 'gssapi.raw' has no attribute 'ext_cred_store'

I commented out the AttributeError catch block and let the code fall through to the next general exception catch. That's how I got the details above.

I've checked the docs and there indeed is an 'ext_cred_store' attribute.

Do I need to import something else?

Here's the code I used:

def kinit(username=None, password=None, realm=None, exe=None, keytab=None, verbose=False):
server_name = gssapi.Name('krbtgt/' + realm)

user = gssapi.Name(base=username, name_type=gssapi.NameType.user)bpass = password.encode('utf-8')result = Falsetry:    creds = gssapi.raw.acquire_cred_with_password(user, bpass, usage='initiate')    creds = creds.creds    if krb5ccname := os.environ.get('KRB5CCNAME', None):        krb5ccname='temp'        store = {            'ccache': f'FILE:{krb5ccname}',        }        gssapi.raw.ext_cred_store.store_cred_into(store, creds, overwrite=True)    result = True#except AttributeError:#    print("AttributeError")except gssapi.exceptions.GSSError as er:    print(er)# acquire_cred_with_password returns a wrapper, we want the creds# object inside this wrapperprint(result)

AttributeError: module 'gssapi.raw' has no attribute 'ext_cred_store'

This means that your GSSAPI C library doesn't have the extension methods present so you won't be able to call it in python-gssapi. There's little that we can do about that unfortunately. If the C library doesn't have it Python can't call it. I believe this has only been recently added to Heimdal based GSSAPI libs but that hasn't made it into an actual release. Considering your default isAPI I'm guessing you are on a macOS host which uses their own forked version of Heimdal so it makes sense they don't have it.

Unfortunately your options are limited, if you really need to persist the credentials to a file you might be better off using the krb5 APIs directly withhttps://github.com/jborean93/pykrb5. if you didn't need to persist the TGT then why are you wanting to callstore_cred_into?

An example ofkinit using the raw krb5 APIs can be seen inhttps://github.com/jborean93/pyspnego/blob/main/src/spnego/_gss.py#L183-L285. It shows you how it can store a credential in a custom ccache (the implementation there uses a unique MEMORY ccache but you can change it to use a file). It also shows how you can load a credential from the library for use with this one.

Yeah, it's not the end of the working to call kinit as a sub-process, but requires I install kinit into the container. Also, not a big deal. All I'm trying to solve for now is to be able to use a service account to make connections to the db and that requires kerberos. It's the curse of working in a serverless environment. The containers (in AWS) are not domain-joined so they have no awareness of AD/KDC. You have to do this manually. With Fargate, which allows multiple containers to run in the same task, I use a sidecar that does all the KDC Auth and brings the TGT back to the container and shares the ticket with the application container. Unfortunately the new service I am using, AWS Batch, only a single container to run so that's what I am trying to create now: one image that get an ticket for a given service principal and password, and then running some processing against a SQL Server db (uses a trusted connection) then exiting the container.