Hi all,

I recently setup a JupyterHub (using default authenticator & spawner).
The machine on which JupyterHub is running is setup to check credentials against an AD server and get a ticket from a Kerberos server on login.
When I login via ssh a kerberos ticket of the form /tmp/krb5cc_{uid}{random} is created (or refreshed) and the environment variabele KRB5CCNAME is set.
Klist shows this credential cache - all works.
When I login in JupyterHub a ticket is also created (or refreshed) but no environment variabele KRB5CCNAME is set - so it seems the authencation worked fine, the ticket is there, but can not be found. Apparently, because the KRB5CCNAME is not set: a default /tmp/krb5cc{uid} (without extra random extension is expected).
If I manually set the KRB5CCNAME (via a python notebook eg) to point to the correct ticket everything works as expected.

Any ideas, insights or pointers in the right direction in how to get this fixed (or at least understand what is happening)?

suggestion: with the 5.1.0 release of notebook recently, and hub 0.8.0 coming out. I think you want to pin the versions of those and other dependencies in your docker files to ensure they are tested versions.

is there a detailed step-by-step instructions that one can follow to install and run this ?

Kerberos (kinit) is very slow ~180 seconds to spawn another container.
Messages (note timestamps):

kdc_1      | May 30 22:30:04 f34c218f21d9 krb5kdc[12](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.19.0.4: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
kdc_1      | May 30 22:30:24 f34c218f21d9 krb5kdc[12](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.19.0.4: ISSUE: authtime 1527719424, etypes {rep=18 tkt=18 ses=18}, [email protected] for krbtgt/[email protected]
kdc_1      | May 30 22:32:31 f34c218f21d9 krb5kdc[12](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.19.0.4: NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional pre-authentication required
kdc_1      | May 30 22:32:52 f34c218f21d9 krb5kdc[12](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 172.19.0.4: ISSUE: authtime 1527719572, etypes {rep=18 tkt=18 ses=18}, [email protected] for krbtgt/[email protected]

I'm succesfully using the jupyterhub-example with the extra classes KerberosPAMAuthenticator and KerberosSudoSpawner on a kerberized system with NFS automounted user folders. It works great!

However, initially trying to start a notebook in a web browser failed with a "pid" error. The reason is the following:
The sudospawner tries to start the file /usr/local/bin/sudospawner-singleuser in a new subprocess owned by the user, who tries to start a notebook server (see file /usr/local/lib/python3.5/dist-packages/sudospawner/mediator.py line 104):

p = Popen(cmd, env=env,
      cwd=os.path.expanduser('~'),
      stdout=sys.stderr.fileno(),
) 

The parameter cwd=os.path.expanduser('~') tells the process to start in the user's home folder. This fails on a system, where the NFS home directories are mounted via a kerberized NFS. The unprivileged jupyterhub user, owning the sudospawner process, does not have the appropriate Kerberos ticket to mount/access the NFS share, and unfortunately, the credential cache for the user should be created not until later in the file /usr/local/bin/sudospawner-singleuser.

(Dirty) workaround, that works for me:
Change the parameter cwd in the Popen call to point to the systems temp folder, and change into the user's home folder in the file /usr/local/bin/sudospawner-singleuser via a simple cd , after the credential cache has been created.

System infos:
Debian Stretch
kerberized NFSv4 with automounted user folders
Python 3.5
jupyterhub (0.7.2)
notebook (5.0.0)
sudospawner (0.3.0)

The user_options would save in database, so the password would be in database too.
I think it will be better to use env directly. For example, self.env['KERBEROS_PASSWORD'] = password.

Starting jupyterhubexamplekerberosmaster_kdc_1 ... done
Starting jupyterhubexamplekerberosmaster_hubsudo_1 ...
Starting jupyterhubexamplekerberosmaster_hub_1 ... done
Attaching to jupyterhubexamplekerberosmaster_kdc_1, jupyterhubexamplekerberosmaster_hubsudo_1, jupyterhubexamplekerberosmaster_hub_1
kdc_1 | * Starting Kerberos KDC krb5kdc
kdc_1 | ...done.
kdc_1 | * Starting Kerberos administrative servers kadmind
kdc_1 | ...done.
kdc_1 | Sep 25 19:53:20 f2360325fc6e krb5kdc12: commencing operation
kdc_1 | Sep 25 19:54:49 f2360325fc6e krb5kdc11: setting up network...
kdc_1 | Sep 25 19:54:49 f2360325fc6e krb5kdc11: listening on fd 9: udp 0.0.0.0.88 (pktinfo)
kdc_1 | Sep 25 19:54:49 f2360325fc6e krb5kdc11: listening on fd 10: udp 0.0.0.0.750 (pktinfo)
kdc_1 | krb5kdc: setsockopt(11,IPV6_V6ONLY,1) worked
kdc_1 | krb5kdc: Invalid argument - Cannot request packet info for udp socket address :: port 88
kdc_1 | Sep 25 19:54:49 f2360325fc6e krb5kdc11: skipping unrecognized local address family 17
kdc_1 | Sep 25 19:54:49 f2360325fc6e krb5kdc11: skipping unrecognized local address family 17
kdc_1 | Sep 25 19:54:49 f2360325fc6e krb5kdc11: set up 2 sockets
kdc_1 | Sep 25 19:54:49 f2360325fc6e krb5kdc12: commencing operation
hubsudo_1 | Traceback (most recent call last):
hubsudo_1 | File "/opt/conda/bin/jupyterhub", line 3, in
hubsudo_1 | from jupyterhub.app import main
hubsudo_1 | File "/opt/conda/lib/python3.5/site-packages/jupyterhub/app.py", line 24, in
hubsudo_1 | from jinja2 import Environment, FileSystemLoader
hubsudo_1 | ImportError: No module named 'jinja2'
hub_1 | Traceback (most recent call last):
hub_1 | File "/opt/conda/bin/jupyterhub", line 3, in
hub_1 | from jupyterhub.app import main
hub_1 | File "/opt/conda/lib/python3.5/site-packages/jupyterhub/app.py", line 24, in
hub_1 | from jinja2 import Environment, FileSystemLoader
hub_1 | ImportError: No module named 'jinja2'
jupyterhubexamplekerberosmaster_hubsudo_1 exited with code 1
jupyterhubexamplekerberosmaster_hub_1 exited with code 1

When I attempt to use sudospawner at http://localhost:8001, I get to the spawner options page and enter the password for the alice user 'alice'. I get the error below. Should I be entering "alice" in this form? sorry new to kerberos and fumbling through...

hubsudo_1  | [E 2017-09-26 16:56:45.273 JupyterHub gen:914] Exception in Future <tornado.concurrent.Future object at 0x7f2a602d52e8> after timeout
hubsudo_1  |     Traceback (most recent call last):
hubsudo_1  |       File "/opt/conda/lib/python3.5/site-packages/tornado/gen.py", line 910, in error_callback
hubsudo_1  |         future.result()
hubsudo_1  |       File "/opt/conda/lib/python3.5/site-packages/jupyterhub/user.py", line 294, in spawn
hubsudo_1  |         raise e
hubsudo_1  |       File "/opt/conda/lib/python3.5/site-packages/jupyterhub/user.py", line 270, in spawn
hubsudo_1  |         yield self.server.wait_up(http=True, timeout=spawner.http_timeout)
hubsudo_1  |       File "/opt/conda/lib/python3.5/site-packages/jupyterhub/orm.py", line 108, in wait_up
hubsudo_1  |         yield wait_for_http_server(self.url, timeout=timeout)
hubsudo_1  |       File "/opt/conda/lib/python3.5/site-packages/jupyterhub/utils.py", line 94, in wait_for_http_server
hubsudo_1  |         **locals()
hubsudo_1  |     TimeoutError: Server at http://127.0.0.1:33603/user/alice didn't respond in 30 seconds
hubsudo_1  |