I am working on a Python script to authenticate and transfer files to the shared drive using Kerberos via SMB. I have a Key Distribution Center (KDC) and a Kerberos realm set up, and I need to connect to an SMB server for file transfer. Previously ntlm auth was being used. But due to security reasons it was disabled by cyber team.
We have successfully done kerberos authentication for transfering files to the shared drive via smb in java. but when it comes to python, the libraries such as gssapi, requests_kerberos needs keberos client application to be installed in a system and the path variable needs to be set. But this cannot be done since this python will be run in aws lambda. is there any other alternative way to do this?
Pure-Python Kerberos implementations do exist, but it is very uncommon to use them1; the most relevant SMB client library that you might be using,
smbprotocol, still relies on the python-gssapi and python-krb5 modules which expect system-wide GSSAPI and Kerberos libraries to be present, and I'm not aware of any drop-in replacement that would be suitable.1 (Partly this is because the easiest way to interoperate with system Kerberos is to just use system Kerberos – e.g. Java often has the issue of not being able to read tickets that system Kerberos libraries have stored, and e.g. the commonly used "native Go" Kerberos implementation doesn't even try to interoperate much at all, which largely defeats one of the main advantages of Kerberos.)
But as far as I know, however, you can deploy system libraries as part of AWS Lambda functions (that is to say: I just skimmed the Lambda FAQ and it specifically says "You can launch processes using any language supported by Amazon Linux" and even "You can include your own copy of a library in order to use a different version than the default one provided by AWS Lambda"), so it should be possible to just bundle MIT Krb5 or whatever you need.