[Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi
Jan Cholasta
jcholast at redhat.com
Tue Aug 25 11:52:34 UTC 2015
On 25.8.2015 12:46, Michael Šimáček wrote:
>
>
> On 2015-08-25 12:38, Alexander Bokovoy wrote:
>> On Tue, 25 Aug 2015, Michael Šimáček wrote:
>>>
>>>
>>> On 2015-08-24 20:29, Robbie Harwood wrote:
>>>> Michael Šimáček <msimacek at redhat.com> writes:
>>>>
>>>>> On 2015-08-24 17:49, Simo Sorce wrote:
>>>>>
>>>>>> On Mon, 2015-08-24 at 17:18 +0200, Michael Šimáček wrote:
>>>>>>
>>>>>>> On 2015-08-24 14:50, Jan Cholasta wrote:
>>>>>>>
>>>>>>>> On 23.8.2015 23:27, Michael Šimáček wrote:
>>>>>>>>
>>>>>>>> 3) ipa-adtrust-install fails with:
>>>>>>>>
>>>>>>>> admin password:
>>>>>>>>
>>>>>>>> Unrecognized error during check of admin rights:
>>>>>>>> admin at abc.idm.lab.eng.brq.redhat.com: user not found
>>>>>>>>
>>>>>>>> Apparently there is a "user-show
>>>>>>>> admin at abc.idm.lab.eng.brq.redhat.com"
>>>>>>>> call where a "user-show admin" call should be.
>>>>>>>
>>>>>>> Fixed. python-gssapi has a display_as method that could pull the
>>>>>>> name
>>>>>>> from it, but it doesn't work in current version, therefore using
>>>>>>> partition to split on '@'
>>>>
>>>> It's actually a bug in MIT Krb5, as we noted in your bug[0]. So this:
>>>>
>>>>> - user = api.Command.user_show(unicode(principal[0]))['result']
>>>>> + user =
>>>>> api.Command.user_show(principal.partition('@')[0])['result']
>>>>
>>>> is working around a bug in specific Kerberos versions. If people are
>>>> okay with merging such code, then I guess this is fine; I would
>>>> personally not do so because there is not a clear point at which it can
>>>> be removed. At the very least, we should wait until we see what
>>>> versions of krb5 MIT is going to fix.
>>>>
>>>> Otherwise, looks good.
>>>>
>>>> [0]: https://github.com/pythongssapi/python-gssapi/issues/79
>>>>
>>>
>>> python-krbV migration is blocking support for Python 3. The bug
>>> doesn't have any fix upstream yet and there are two bugs actually, the
>>> second one is in python-gssapi, which I've just reported [1]. Waiting
>>> for two bugs to be fixed could be detrimental to py3 migration as we
>>> don't have much time left. And I'm no longer sure that display_as
>> I don't buy this.
>>
>> We have plenty of time for solving these bugs. Remember, that Samba
>> DCE RPC bindings aren't migrated to Python 3 either and will not be
>> before release of Samba 4.4. For Samba 4.3 it is simply too late.
>>
>> So we are still far away from full Python3 migration for FreeIPA and
>> waiting for solving these two bugs is OK.
>>
>
> If fixing them solves anything at all. I planned to use
> display_as(NameType.user), but when trying it on Name object with
> name_type set (which doesn't trigger the segfault), it doesn't seem to
> work either. I get:
> gssapi.raw.exceptions.OperationUnavailableError: Major (1048576): The
> operation or option is not available or unsupported, Minor (0): Unknown
> error
>
> Robbie, can you clarify whether display_as could be actually used to get
> the first component of the principal reliably?
As I have written in the other thread, we use "principal.split('@')" in
other parts of IPA, so "principal.partition('@')" should be OK as well.
This patch works for me, so ACK.
Unless there are any further objections, I would like to push it.
>
>>> could be used at all, as I'm getting "operation not supported" on
>>> inputs that don't trigger any of the bugs. I don't think parsing a
>>> string is a big problem. When there will be a different solution
>>> available, I'll submit a new patch. I'm tracking python-gssapi's
>>> issues on github and I won't dissapear after this is merged.
>> Sure. It is not about you disappearing any time soon, we need to solve
>> migration issues properly rather than hurrying up for whatever reasons.
>>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list