[Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

Martin Kosek mkosek at redhat.com
Fri Mar 29 15:42:11 UTC 2013 

On 03/29/2013 01:48 PM, Jan Cholasta wrote:
> On 29.3.2013 12:46, Martin Kosek wrote:
>> 1) This causes an error in the test suite:
>>
>> ======================================================================
>> FAIL: test_service[23]: service_mod: Enable
>> u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' OK_AS_DELEGATE
>> Kerberos ticket flag
>> ----------------------------------------------------------------------
>> Traceback (most recent call last):
>>    File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
>>      self.test(*self.arg)
>>    File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 267, in
>> <lambda>
>>      func = lambda: self.check(nice, **test)
>>    File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 285, in
>> check
>>      self.check_output(nice, cmd, args, options, expected, extra_check)
>>    File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 323, in
>> check_output
>>      assert_deepequal(expected, got, nice)
>>    File "/root/freeipa-master/tests/util.py", line 335, in assert_deepequal
>>      assert_deepequal(e_sub, g_sub, doc, stack + (key,))
>>    File "/root/freeipa-master/tests/util.py", line 335, in assert_deepequal
>>      assert_deepequal(e_sub, g_sub, doc, stack + (key,))
>>    File "/root/freeipa-master/tests/util.py", line 323, in assert_deepequal
>>      assert_deepequal(e_sub, g_sub, doc, stack + (i,))
>>    File "/root/freeipa-master/tests/util.py", line 343, in assert_deepequal
>>      VALUE % (doc, expected, got, stack)
>> AssertionError: assert_deepequal: expected != got.
>>    test_service[23]: service_mod: Enable
>> u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' OK_AS_DELEGATE
>> Kerberos ticket flag
>>    expected = u'1048576'
>>    got = u'1048704'
>>    path = ('result', 'krbticketflags', 0)
>>
> 
> Fixed.
> 
>> ----------------------------------------------------------------------
>>
>> 2) Since we add REQUIRES_PRE_AUTH flag by default, shouldn't we then also add
>> --requires-pre-auth flag as I wrote above so that admin can get rid of this
>> flag if he chooses to?
> 
> Added.
> 
> Updated patch attached.
> 
> Honza
> 

I discussed this approach also with Simo and current state should be OK since
we manipulate krbticketflags only for hosts and services. When we add these
options also for users, we need to add big fat warning that pre_auth flag is
required for users in order work correctly.

ACK. Pushed to master.

Martin

More information about the Freeipa-devel mailing list