Currently python-krbV works but is basically unmaintained. In particular it has not been ported to Python 3 which means our usage of it blocks porting the bkr client to Python 3 (bug 1455424). The preferred alternative is python-kerberos, originally from CalendarServer, forked by Apple, then abandoned, and lately resurrected by Apple. However python-kerberos does not expose all of the Kerberos API. In particular it lacks support for kinit operations. The other alternative is python-gssapi. For example FreeIPA switched from python-krbV to python-gssapi a few years ago: https://pagure.io/freeipa/c/aad73fad601f576dd83b758f4448839b4e8e87df python-gssapi wraps GSSAPI, not Kerberos directly, but the operations we need on the client side are exposed well enough that we can switch to it. python-gssapi ships in RHEL7, but not RHEL6 (we would need to supply our own build for RHEL6).
I would feel more comfortable doing this if we also had the dogfood tests covering Kerberos: bug 1275493. Currently the tests all use password authentication and all this Kerberos-related code is never exercised except by manual testing (and, every single one of our internal users every day, of course).
I got python-gssapi built for RHEL6, and whipped up a patch to switch over the client pieces (actually the LC too since it shares that code) while I was procrastinating some other stuff this afternoon. https://gerrit.beaker-project.org/5701 However I think I have hit a snag... When using keytab for authentication, on RHEL6 it fails like this (works on RHEL7): Traceback (most recent call last): [...] File "/home/dcallagh/work/beaker/Common/bkr/common/hub.py", line 161, in _login_krbv creds = gssapi.Credentials(name=name, store=store, usage='initiate') File "/usr/lib64/python2.6/site-packages/gssapi/creds.py", line 64, in __new__ store=store) File "/usr/lib64/python2.6/site-packages/gssapi/creds.py", line 140, in acquire raise NotImplementedError("Your GSSAPI implementation does " NotImplementedError: Your GSSAPI implementation does not have support for manipulating credential stores And indeed I see during the build of python-gssapi that it warns me some GSSAPI extensions are not supported, I guess due to the quite old krb5 libraries in RHEL6: Skipping the cred_store extension because it is not supported by your GSSAPI implementation... Skipping the cred_imp_exp extension because it is not supported by your GSSAPI implementation... Skipping the iov_mic extension because it is not supported by your GSSAPI implementation... Skipping the rfc6680_comp_oid extension because it is not supported by your GSSAPI implementation... Skipping the password_add extension because it is not supported by your GSSAPI implementation... So I think this is effectively stalled until the client is no longer supported on RHEL6...
Oh and it's actually worse than that, since this code is called by the LC as well. This is stalled until *all* of Beaker is off RHEL6 and onto RHEL7.
python-krbV has no python3 support, so its renewal helps projects move to python3. pykerberos is a very minimum execution calculated for use in calendar server and not intended for consumption by other applications. if you have the issue with your Apple device you may contact https://www.appletechnicalsupportnumbers.com/