[Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi

Jan Cholasta jcholast at redhat.com
Tue Aug 25 11:10:30 UTC 2015 

On 25.8.2015 12:21, Michael Šimáček wrote:
>
>
> On 2015-08-25 12:13, Jan Cholasta wrote:
>> On 24.8.2015 20:29, Robbie Harwood wrote:
>>> Michael Šimáček <msimacek at redhat.com> writes:
>>>
>>>> On 2015-08-24 17:49, Simo Sorce wrote:
>>>>
>>>>> On Mon, 2015-08-24 at 17:18 +0200, Michael Šimáček wrote:
>>>>>
>>>>>> On 2015-08-24 14:50, Jan Cholasta wrote:
>>>>>>
>>>>>>> On 23.8.2015 23:27, Michael Šimáček wrote:
>>>>>>>
>>>>>>> 3) ipa-adtrust-install fails with:
>>>>>>>
>>>>>>> admin password:
>>>>>>>
>>>>>>> Unrecognized error during check of admin rights:
>>>>>>> admin at abc.idm.lab.eng.brq.redhat.com: user not found
>>>>>>>
>>>>>>> Apparently there is a "user-show
>>>>>>> admin at abc.idm.lab.eng.brq.redhat.com"
>>>>>>> call where a "user-show admin" call should be.
>>>>>>
>>>>>> Fixed. python-gssapi has a display_as method that could pull the name
>>>>>> from it, but it doesn't work in current version, therefore using
>>>>>> partition to split on '@'
>>>
>>> It's actually a bug in MIT Krb5, as we noted in your bug[0].  So this:
>>>
>>>> -        user = api.Command.user_show(unicode(principal[0]))['result']
>>>> +        user =
>>>> api.Command.user_show(principal.partition('@')[0])['result']
>>>
>>> is working around a bug in specific Kerberos versions.  If people are
>>> okay with merging such code, then I guess this is fine; I would
>>> personally not do so because there is not a clear point at which it can
>>> be removed.  At the very least, we should wait until we see what
>>> versions of krb5 MIT is going to fix.
>>
>> The principal comes from krb_utils.get_principal(). Are you saying that
>> after MIT Krb5 is fixed, this function will not return a principal
>> anymore? If so, it needs to be fixed to use some different interface to
>> return a principal even after MIT Krb5 is fixed, we don't want a
>> function called get_principal to *not* return a principal.
>>
>
> No, get_principal won't change. Robbie doesn't like the
> principal.partition('@'), which could maybe be replaced by call to
> display_as (on a gssapi.Name object that would be obtained in some other
> way). But display_as doesn't work. I'm saying maybe replaced, because
> I'm getting "operation not supported" from kerberos when trying to
> excercise the not-buggy code path of display_as.

We use "principal.split('@')" in different parts of IPA, so IMO it's OK.

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list