[Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi

Robbie Harwood rharwood at redhat.com
Thu Aug 20 21:42:55 UTC 2015 

Simo Sorce <simo at redhat.com> writes:

> On Thu, 2015-08-20 at 14:42 -0400, Robbie Harwood wrote:
>> Michael Šimáček <msimacek at redhat.com> writes:
>> 
>>> On 2015-08-20 12:32, Michael Šimáček wrote:
>>>
>>>>>>> Michael Šimáček <msimacek at redhat.com> writes:
>>>>>>>
>>>>>>>> Attaching new revision of the patch. Changes from the previous:
>>>>>>>> - ldap2's connect now chooses the bind type same way as in ipaldap
>>>>>>>> - get_default_realm usages replaced by api.env.realm
>>>>>>>> - fixed missing third kinit attempt in trust-fetch-domains
>>>>>>>> - removed rewrapping gssapi errors to ccache errors in krb_utils
>>>>>>>> - updated some parts of exception handling
>>>>
>>>> Rebased on top of current master.
>>>
>>> One of the commits reintroduced krbV dependency that I didn't notice. 
>>> Attaching updated revision. Only changes against previous revision are 
>>> in files daemons/dnssec/ipa-dnskeysync-replica and 
>>> daemons/dnssec/ipa-ods-exporter.
>> 
>> This is much better, thanks!  I've got some comments inline.
>> 
>>> +# Ugly hack for test purposes only. GSSAPI has no way to get default ccache
>>> +# name, but we don't need it outside test server
>>> +def get_default_ccache_name():
>>> +    try:
>>> +        out = check_output(['klist'])
>>> +    except CalledProcessError:
>>> +        raise RuntimeError("Default ccache not found. Did you kinit?")
>>> +    match = re.match(r'^Ticket cache:\s*(\S+)', out)
>>> +    if not match:
>>> +        raise RuntimeError("Cannot obtain ccache name")
>>> +    return match.group(1)
>> 
>> Yup, this is still ugly.  Ah well, it's only test code.
>
> Well turns out there is a gssapi_krb5 extension to get a ccache name:
> 	gss_krb5_ccache_name()
>
> Robbie,
> do you think we should expose it in python-gssapi if available ?

It doesn't seem dangerous, so I see no reason not to.  It's on our giant
"eventually" list[0], so we'd definitely be open to it.  I do not have
the cycles for this right now, though I've opened a bug for it[1].

[0]: https://github.com/pythongssapi/python-gssapi/issues/48
[1]: https://github.com/pythongssapi/python-gssapi/issues/75
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150820/84d18d56/attachment.sig>

More information about the Freeipa-devel mailing list