How could I obtain GSSAPI credentials without having krb5.keytab on user machine?

Question

I'm getting the following error when trying to obtain GSSAPI credentials on my machine:

server_creds = gssapi.Credentials(usage='init', name=server_name)
GSSError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (2): Key table file '/etc/krb5.keytab' not found

Here is what I have already found in Kerberos keytab introduction:

A keytab is a file containing pairs of Kerberos principals and encrypted keys (these are derived from the Kerberos password). You can use this file to log into Kerberos without being prompted for a password. The most common personal use of keytab files is to allow scripts to authenticate to Kerberos without human interaction, or store a password in a plaintext file.

Well, it's completely acceptable for me even if my program will actually require human interaction in order to authenticate. Is there any way to use Kerberos client on end-user system without /etc/krb5.keytab file, even if it means asking password on each authentication?

Answer 1

It makes no sense to "even if it means asking password on each authentication". This defeats the purpose of Kerberos.

You can do the following:

1. Your user does "kinit" in the shell or similar via a login manager
2. You have a binding for gss_acquire_cred_with_password() for Python

Evaluate both