Python Kadmin RS

0.7.0 · active · verified Fri Apr 17

Python interface to the Kerberos administration interface (kadm5), providing a safe and idiomatic way to manage Kerberos principals and policies. It leverages a Rust implementation (kadmin-rs) for enhanced safety and performance. The library is currently at version 0.7.0 and sees active development with releases tied to new features or bug fixes.

Common errors

```
ImportError: cannot import name 'Client' from 'kadmin_rs.client' (/path/to/venv/lib/python3.X/site-packages/kadmin_rs/client.py)
```
cause The `python-kadmin-rs` library or its underlying Rust components were not installed correctly, most commonly due to missing system Kerberos development headers.

fix Ensure system Kerberos development libraries are installed (e.g., `sudo apt install libkrb5-dev` or `sudo yum install krb5-devel`) and then reinstall the Python package: `pip install --no-cache-dir python-kadmin-rs`.
```
kadmin_rs.errors.KadminError: Principal does not exist (or Cannot contact KDC for realm EXAMPLE.COM)
```
cause This usually indicates an issue with the Kerberos configuration, such as an incorrect principal name, an invalid keytab path, an unreachable KDC, or problems with the `/etc/krb5.conf` file.

fix Verify the principal name is exactly correct (including case and realm), ensure the keytab file exists and is readable, and confirm the KDC is reachable from the client. Check `/etc/krb5.conf` for correct realm and KDC server details. Use `klist -kt <keytab_path>` to inspect keytab contents.
```
kadmin_rs.errors.KadminError: Failed to initialize KDC client: No such file or directory (os error 2)
```
cause The specified `keytab_path` provided to `Client.with_keytab()` does not exist or is not accessible/readable by the user running the Python script.

fix Double-check the `keytab_path` variable to ensure it points to an existing keytab file. Verify that the Python process has read permissions for the file (e.g., using `ls -l <keytab_path>` and `whoami`).

Warnings

gotcha The library wraps a Rust implementation, which in turn depends on system-level Kerberos development libraries (e.g., `libkrb5-dev` on Debian/Ubuntu, `krb5-devel` on RHEL/CentOS). Installation will fail or runtime errors will occur without these.
Fix: Install the appropriate Kerberos development package for your OS before installing `python-kadmin-rs` (e.g., `sudo apt install libkrb5-dev`).
breaking The `add_principal` and `modify_principal` methods had their time-related arguments changed in version 0.6.0. Previously, they accepted `valid_start` and `valid_end` (`datetime` objects). Now, they accept only `valid_until` (a single `datetime` object).
Fix: If upgrading from a version older than 0.6.0, update calls to `add_principal` and `modify_principal` to use a single `valid_until` `datetime` object instead of `valid_start` and `valid_end`.
gotcha Handling Kerberos credentials (keytabs or credential caches) requires careful security considerations. Ensure keytab files are properly secured with minimal permissions and that credential caches are protected.
Fix: Always use secure paths for keytabs, restrict file permissions (`chmod 400`), and avoid hardcoding sensitive paths directly in code. Prefer environment variables or secure configuration management systems.
gotcha Kerberos principal names are strict (e.g., `user/service@REALM.COM`). Incorrect formatting can lead to connection failures or 'Principal does not exist' errors, even if it looks superficially similar to an existing one.
Fix: Double-check principal names, including realm, and ensure they match the Kerberos KDC configuration exactly. The library does not normalize names; it passes them directly to `kadm5`.

Install

pip install python-kadmin-rs Install package

Imports

Client
```
from kadmin_rs.client import Client
```

Quickstart

Demonstrates how to initialize a `Client` using a keytab file and list Kerberos principals. Requires proper Kerberos setup and a valid admin principal with a keytab.

import os
from kadmin_rs.client import Client

# IMPORTANT: Replace with your actual Kerberos admin principal and keytab path.
# For testing, you can set these environment variables:
# export KADMIN_ADMIN_PRINCIPAL="admin/admin@EXAMPLE.COM"
# export KADMIN_KEYTAB_PATH="/etc/krb5.keytab"
# Ensure Kerberos is properly configured and the keytab is valid.

admin_principal = os.environ.get("KADMIN_ADMIN_PRINCIPAL", "admin/admin@EXAMPLE.COM")
keytab_path = os.environ.get("KADMIN_KEYTAB_PATH", "/etc/krb5.keytab")

try:
    client = Client.with_keytab(
        principal=admin_principal,
        keytab_path=keytab_path,
    )
    print(f"Kadmin client connected as {admin_principal}")

    # List all principals
    all_principals = client.list_principals()
    print(f"Found {len(all_principals)} principals.")
    if all_principals:
        print(f"First principal: {all_principals[0]}")

except Exception as e:
    print(f"Error initializing Kadmin client or listing principals: {e}")
    print("Please check your Kerberos configuration, admin principal, and keytab path.")
    print("Also ensure system Kerberos development libraries are installed (e.g., libkrb5-dev).")

view raw JSON →