sources/kerberos: update to new python-kadmin-rs (#19491)

Author: rissson

.github/actions/setup/action.yml

@@ -18,7 +18,7 @@ runs:
       run: |
         sudo apt-get remove --purge man-db
         sudo apt-get update
-        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
         sudo rm -rf /usr/local/lib/android
     - name: Install uv
       if: ${{ contains(inputs.dependencies, 'python') }}

authentik/sources/kerberos/migrations/0005_alter_kerberossource_kadmin_type.py

@@ -0,0 +1,32 @@
+# Generated by Django 5.2.7 on 2025-10-31 15:27
+
+from django.db import migrations, models
+
+
+def migrate_kadmin_type(apps, schema_editor):
+    KerberosSource = apps.get_model("authentik_sources_kerberos", "KerberosSource")
+    db_alias = schema_editor.connection.alias
+
+    for source in KerberosSource.objects.using(db_alias).all():
+        if source.kadmin_type not in ("MIT", "Heimdal"):
+            source.kadmin_type = "MIT"
+            source.save(using=db_alias)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("authentik_sources_kerberos", "0004_kerberossource_sync_outgoing_trigger_mode"),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_kadmin_type, reverse_code=migrations.RunPython.noop),
+        migrations.AlterField(
+            model_name="kerberossource",
+            name="kadmin_type",
+            field=models.TextField(
+                choices=[("MIT", "Mit"), ("Heimdal", "Heimdal")],
+                default="MIT",
+                help_text="KAdmin server type",
+            ),
+        ),
+    ]

authentik/sources/kerberos/models.py

@@ -1,21 +1,21 @@
 """authentik Kerberos Source Models"""
 
 import os
+from base64 import b64decode
 from pathlib import Path
 from tempfile import gettempdir
 from typing import Any
 
 import gssapi
 import pglock
 from django.db import connection, models
-from django.db.models.fields import b64decode
 from django.http import HttpRequest
 from django.shortcuts import reverse
 from django.templatetags.static import static
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
-from kadmin import KAdmin, KAdminApiVersion
-from kadmin.exceptions import PyKAdminException
+from kadmin import KAdm5Variant, KAdmin, KAdminApiVersion
+from kadmin import exceptions as kadmin_exceptions
 from rest_framework.serializers import Serializer
 from structlog.stdlib import get_logger
 
@@ -42,7 +42,6 @@
 class KAdminType(models.TextChoices):
     MIT = "MIT"
     HEIMDAL = "Heimdal"
-    OTHER = "other"
 
 
 class KerberosSource(IncomingSyncSource):
@@ -54,7 +53,7 @@ class KerberosSource(IncomingSyncSource):
         help_text=_("Custom krb5.conf to use. Uses the system one by default"),
     )
     kadmin_type = models.TextField(
-        choices=KAdminType.choices, default=KAdminType.OTHER, help_text=_("KAdmin server type")
+        choices=KAdminType.choices, default=KAdminType.MIT, help_text=_("KAdmin server type")
     )
 
     sync_users = models.BooleanField(
@@ -239,20 +238,22 @@ def krb5_conf_path(self) -> str | None:
         return str(conf_path)
 
     def _kadmin_init(self) -> KAdmin | None:
-        api_version = None
+        variant = KAdm5Variant.MitClient
+        api_version = KAdminApiVersion.Version2
         match self.kadmin_type:
             case KAdminType.MIT:
+                variant = KAdm5Variant.MitClient
                 api_version = KAdminApiVersion.Version4
             case KAdminType.HEIMDAL:
-                api_version = KAdminApiVersion.Version2
-            case KAdminType.OTHER:
+                variant = KAdm5Variant.HeimdalClient
                 api_version = KAdminApiVersion.Version2
         # kadmin doesn't use a ccache for its connection
         # as such, we don't need to create a separate ccache for each source
         if not self.sync_principal:
             return None
         if self.sync_password:
             return KAdmin.with_password(
+                variant,
                 self.sync_principal,
                 self.sync_password,
                 api_version=api_version,
@@ -265,12 +266,14 @@ def _kadmin_init(self) -> KAdmin | None:
                 keytab_path.write_bytes(b64decode(self.sync_keytab))
                 keytab = f"FILE:{keytab_path}"
             return KAdmin.with_keytab(
+                variant,
                 self.sync_principal,
                 keytab,
                 api_version=api_version,
             )
         if self.sync_ccache:
             return KAdmin.with_ccache(
+                variant,
                 self.sync_principal,
                 self.sync_ccache,
                 api_version=api_version,
@@ -285,9 +288,9 @@ def connection(self) -> KAdmin | None:
                 _kadmin_connections[str(self.pk)] = self._kadmin_init()
         return _kadmin_connections.get(str(self.pk), None)
 
-    def check_connection(self) -> dict[str, str]:
+    def check_connection(self) -> dict[str, str | bool]:
         """Check Kerberos Connection"""
-        status = {"status": "ok"}
+        status: dict[str, str | bool] = {"status": "ok"}
         if not self.sync_users:
             return status
         with Krb5ConfContext(self):
@@ -297,7 +300,7 @@ def check_connection(self) -> dict[str, str]:
                     status["status"] = "no connection"
                     return status
                 status["principal_exists"] = kadm.principal_exists(self.sync_principal)
-            except PyKAdminException as exc:
+            except kadmin_exceptions.PyKAdminException as exc:
                 status["status"] = str(exc)
         return status
 

authentik/sources/kerberos/signals.py

@@ -1,7 +1,7 @@
 """authentik kerberos source signals"""
 
 from django.dispatch import receiver
-from kadmin.exceptions import PyKAdminException
+from kadmin import exceptions as kadmin_exceptions
 from rest_framework.serializers import ValidationError
 from structlog.stdlib import get_logger
 
@@ -38,7 +38,7 @@ def kerberos_sync_password(sender, user: User, password: str, **_):
                     kadm,
                     password,
                 )
-            except PyKAdminException as exc:
+            except kadmin_exceptions.PyKAdminException as exc:
                 LOGGER.warning("failed to set Kerberos password", exc=exc, source=source)
                 Event.new(
                     EventAction.CONFIGURATION_ERROR,

lifecycle/container/Dockerfile

@@ -114,7 +114,7 @@ RUN --mount=type=cache,id=apt-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/v
     # postgresql
     libpq-dev \
     # python-kadmin-rs
-    clang libkrb5-dev sccache \
+    krb5-multidev libkrb5-dev heimdal-multidev libclang-dev \
     # xmlsec
     libltdl-dev && \
     curl https://sh.rustup.rs -sSf | sh -s -- -y
@@ -156,7 +156,11 @@ WORKDIR /
 RUN apt-get update && \
     apt-get upgrade -y && \
     # Required for runtime
-    apt-get install -y --no-install-recommends libpq5 libmaxminddb0 ca-certificates libkrb5-3 libkadm5clnt-mit12 libkdb5-10 libltdl7 libxslt1.1 && \
+    apt-get install -y --no-install-recommends \
+    libpq5 libmaxminddb0 ca-certificates \
+    krb5-multidev libkrb5-3 libkdb5-10 libkadm5clnt-mit12 \
+    heimdal-multidev libkadm5clnt7t64-heimdal \
+    libltdl7 libxslt1.1 && \
     # Required for bootstrap & healtcheck
     apt-get install -y --no-install-recommends runit && \
     pip3 install --no-cache-dir --upgrade pip && \

pyproject.toml

@@ -54,7 +54,7 @@ dependencies = [
   "pydantic==2.12.5",
   "pyjwt==2.10.1",
   "pyrad==2.4",
-  "python-kadmin-rs==0.6.3",
+  "python-kadmin-rs==0.7.0",
   "pyyaml==6.0.3",
   "requests-oauthlib==2.0.0",
   "scim2-filter-parser==0.7.0",

uv.lock

@@ -244,11 +244,6 @@ export class KerberosSourceForm extends BaseSourceForm<KerberosSource> {
                                     value: KadminTypeEnum.Heimdal,
                                     description: html`${msg("Heimdal kadmin")}`,
                                 },
-                                {
-                                    label: msg("Other"),
-                                    value: KadminTypeEnum.Other,
-                                    description: html`${msg("Other type of kadmin")}`,
-                                },
                             ]}
                             .value=${this.instance?.kadminType}
                         >