[Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi

Simo Sorce simo at redhat.com
Thu Aug 20 20:41:30 UTC 2015 

On Thu, 2015-08-20 at 14:42 -0400, Robbie Harwood wrote:
> Michael Šimáček <msimacek at redhat.com> writes:
> 
> > On 2015-08-20 12:32, Michael Šimáček wrote:
> >
> >>>>> Michael Šimáček <msimacek at redhat.com> writes:
> >>>>>
> >>>>>> Attaching new revision of the patch. Changes from the previous:
> >>>>>> - ldap2's connect now chooses the bind type same way as in ipaldap
> >>>>>> - get_default_realm usages replaced by api.env.realm
> >>>>>> - fixed missing third kinit attempt in trust-fetch-domains
> >>>>>> - removed rewrapping gssapi errors to ccache errors in krb_utils
> >>>>>> - updated some parts of exception handling
> >>
> >> Rebased on top of current master.
> >
> > One of the commits reintroduced krbV dependency that I didn't notice. 
> > Attaching updated revision. Only changes against previous revision are 
> > in files daemons/dnssec/ipa-dnskeysync-replica and 
> > daemons/dnssec/ipa-ods-exporter.
> 
> This is much better, thanks!  I've got some comments inline.
> 
> > +except gssapi.exceptions.GSSError:
> >      # If there was failure on using keytab, assume it is stale and retrieve again
> >      retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal)
> 
> This code still bothers me a bit, but I think fixing it is probably
> beyond the scope of a python-gssapi port.
> 
> > +    try:
> > +        creds = get_credentials(name=name, ccache_name=ccache_name)
> > +        # property access would raise exception if expired
> > +        if creds.lifetime > 0:
> > +            return creds
> > +    except gssapi.exceptions.ExpiredCredentialsError:
> > +        return None
> 
> Per rfc2744, lifetime is unsigned.  It's not immediately clear what will
> happen when `creds.lifetime == 0`; perhaps an explicit `return Nune` in
> that case?

Lifetime == 0 means the credentials are expired, it should never be
returned but if it were we'd have to raise ourself
gssapi.exceptions.ExpiredCredentialsError

> >          # Setup LDAP connection
> >          try:
> > -            ctx = krbV.default_context()
> > -            ccache = ctx.default_ccache()
> > -            api.Backend.ldap2.connect(ccache)
> > +            api.Backend.ldap2.connect()
> >              cls.ldap = api.Backend.ldap2
> > -        except krbV.Krb5Error as e:
> > +        except gssapi.exceptions.GSSError:
> >              sys.exit("Must have Kerberos credentials to migrate Winsync users.")
> 
> Can you log the error here?  The other places GSSError is being caught
> are doing a great job of either filtering-and-raising or
> logging-and-exiting, so thanks for fixing those.
> 
> > +# Ugly hack for test purposes only. GSSAPI has no way to get default ccache
> > +# name, but we don't need it outside test server
> > +def get_default_ccache_name():
> > +    try:
> > +        out = check_output(['klist'])
> > +    except CalledProcessError:
> > +        raise RuntimeError("Default ccache not found. Did you kinit?")
> > +    match = re.match(r'^Ticket cache:\s*(\S+)', out)
> > +    if not match:
> > +        raise RuntimeError("Cannot obtain ccache name")
> > +    return match.group(1)
> 
> Yup, this is still ugly.  Ah well, it's only test code.

Well turns out there is a gssapi_krb5 extension to get a ccache name:
	gss_krb5_ccache_name()

Robbie,
do you think we should expose it in python-gssapi if available ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list