[Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi
Robbie Harwood
rharwood at redhat.com
Thu Aug 20 21:42:55 UTC 2015
Simo Sorce <simo at redhat.com> writes:
> On Thu, 2015-08-20 at 14:42 -0400, Robbie Harwood wrote:
>> Michael Šimáček <msimacek at redhat.com> writes:
>>
>>> On 2015-08-20 12:32, Michael Šimáček wrote:
>>>
>>>>>>> Michael Šimáček <msimacek at redhat.com> writes:
>>>>>>>
>>>>>>>> Attaching new revision of the patch. Changes from the previous:
>>>>>>>> - ldap2's connect now chooses the bind type same way as in ipaldap
>>>>>>>> - get_default_realm usages replaced by api.env.realm
>>>>>>>> - fixed missing third kinit attempt in trust-fetch-domains
>>>>>>>> - removed rewrapping gssapi errors to ccache errors in krb_utils
>>>>>>>> - updated some parts of exception handling
>>>>
>>>> Rebased on top of current master.
>>>
>>> One of the commits reintroduced krbV dependency that I didn't notice.
>>> Attaching updated revision. Only changes against previous revision are
>>> in files daemons/dnssec/ipa-dnskeysync-replica and
>>> daemons/dnssec/ipa-ods-exporter.
>>
>> This is much better, thanks! I've got some comments inline.
>>
>>> +# Ugly hack for test purposes only. GSSAPI has no way to get default ccache
>>> +# name, but we don't need it outside test server
>>> +def get_default_ccache_name():
>>> + try:
>>> + out = check_output(['klist'])
>>> + except CalledProcessError:
>>> + raise RuntimeError("Default ccache not found. Did you kinit?")
>>> + match = re.match(r'^Ticket cache:\s*(\S+)', out)
>>> + if not match:
>>> + raise RuntimeError("Cannot obtain ccache name")
>>> + return match.group(1)
>>
>> Yup, this is still ugly. Ah well, it's only test code.
>
> Well turns out there is a gssapi_krb5 extension to get a ccache name:
> gss_krb5_ccache_name()
>
> Robbie,
> do you think we should expose it in python-gssapi if available ?
It doesn't seem dangerous, so I see no reason not to. It's on our giant
"eventually" list[0], so we'd definitely be open to it. I do not have
the cycles for this right now, though I've opened a bug for it[1].
[0]: https://github.com/pythongssapi/python-gssapi/issues/48
[1]: https://github.com/pythongssapi/python-gssapi/issues/75
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150820/84d18d56/attachment.sig>
More information about the Freeipa-devel
mailing list