[Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi
Jan Cholasta
jcholast at redhat.com
Tue Aug 25 10:13:14 UTC 2015
On 24.8.2015 20:29, Robbie Harwood wrote:
> Michael Šimáček <msimacek at redhat.com> writes:
>
>> On 2015-08-24 17:49, Simo Sorce wrote:
>>
>>> On Mon, 2015-08-24 at 17:18 +0200, Michael Šimáček wrote:
>>>
>>>> On 2015-08-24 14:50, Jan Cholasta wrote:
>>>>
>>>>> On 23.8.2015 23:27, Michael Šimáček wrote:
>>>>>
>>>>> 3) ipa-adtrust-install fails with:
>>>>>
>>>>> admin password:
>>>>>
>>>>> Unrecognized error during check of admin rights:
>>>>> admin at abc.idm.lab.eng.brq.redhat.com: user not found
>>>>>
>>>>> Apparently there is a "user-show admin at abc.idm.lab.eng.brq.redhat.com"
>>>>> call where a "user-show admin" call should be.
>>>>
>>>> Fixed. python-gssapi has a display_as method that could pull the name
>>>> from it, but it doesn't work in current version, therefore using
>>>> partition to split on '@'
>
> It's actually a bug in MIT Krb5, as we noted in your bug[0]. So this:
>
>> - user = api.Command.user_show(unicode(principal[0]))['result']
>> + user = api.Command.user_show(principal.partition('@')[0])['result']
>
> is working around a bug in specific Kerberos versions. If people are
> okay with merging such code, then I guess this is fine; I would
> personally not do so because there is not a clear point at which it can
> be removed. At the very least, we should wait until we see what
> versions of krb5 MIT is going to fix.
The principal comes from krb_utils.get_principal(). Are you saying that
after MIT Krb5 is fixed, this function will not return a principal
anymore? If so, it needs to be fixed to use some different interface to
return a principal even after MIT Krb5 is fixed, we don't want a
function called get_principal to *not* return a principal.
>
> Otherwise, looks good.
>
> [0]: https://github.com/pythongssapi/python-gssapi/issues/79
>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list