Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't imply a default local domain #37

Open
michael-o opened this issue Mar 31, 2023 · 0 comments · May be fixed by #38
Open

Don't imply a default local domain #37

michael-o opened this issue Mar 31, 2023 · 0 comments · May be fixed by #38

Comments

@michael-o
Copy link
Contributor

michael-o commented Mar 31, 2023
edited
Loading

Here

requests-negotiate-sspi/requests_negotiate_sspi/requests_negotiate_sspi.py

Lines 35 to 36 in c7929ee

domain: NT Domain name.
Default: '.' for local account.

The constructor contains a default value of None, instead of documented '.', but that is not that important. It imposes a local domain which means that HttpNegotiateAuth(username="foo",password="bar") fails in an Active Directory environment where the domain is simply implied to the one where the current machine is joined. You are always forced to supply domain:

with: r = requests.head(targetUrl, auth=HttpNegotiateAuth(username="...", password="...")):

etry_using_http_Negotiate_auth
    error, auth = clientauth.authorize(sec_buffer)
  File "C:\Program Files\Python38\lib\site-packages\win32\lib\sspi.py", line 131, in authorize
    err, attr, exp=win32security.InitializeSecurityContext(
pywintypes.error: (-2146893048, 'InitializeSecurityContext', 'Das Token, das der Funktion übergeben wurde, ist ungültig.')

where username can be:

  • sAMAccountName
  • Enterprise principal (explicit UPN)
  • Kerberos principal (implicit UPN)

Somewhat related case: https://bugs.launchpad.net/ubuntu/+bug/1970924
michael-o added a commit to michael-o/requests-negotiate-sspi that referenced this issue Mar 31, 2023
@michael-o
Don't imply a default local domain (brandond#37)
88dadf3 
Remove implication of a local domain (local SAM account) which forced you to
*always* supply a domain although Kerberos can derive default one automatically.

This fixes brandond#37
@michael-o michael-o linked a pull request Mar 31, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't imply a default local domain (#37) michael-o/requests-negotiate-sspi
1 participant
@michael-o