[Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi

Tue Aug 25 16:43:53 UTC 2015

Jan Cholasta <jcholast at redhat.com> writes:

> On 25.8.2015 12:46, Michael Šimáček wrote:
>> On 2015-08-25 12:38, Alexander Bokovoy wrote:
>>> On Tue, 25 Aug 2015, Michael Šimáček wrote:
>>>> On 2015-08-24 20:29, Robbie Harwood wrote:
>>>>> Michael Šimáček <msimacek at redhat.com> writes:
>>>>>> On 2015-08-24 17:49, Simo Sorce wrote:
>>>>>>> On Mon, 2015-08-24 at 17:18 +0200, Michael Šimáček wrote:
>>>>>>>> On 2015-08-24 14:50, Jan Cholasta wrote:
>>>>>>>>
>>>>>>>> Fixed. python-gssapi has a display_as method that could pull the
>>>>>>>> name
>>>>>>>> from it, but it doesn't work in current version, therefore using
>>>>>>>> partition to split on '@'
>>>>>
>>>>> It's actually a bug in MIT Krb5, as we noted in your bug[0].  So this:
>>>>>
>>>>>> -        user = api.Command.user_show(unicode(principal[0]))['result']
>>>>>> +        user =
>>>>>> api.Command.user_show(principal.partition('@')[0])['result']
>>>>>
>>>>> is working around a bug in specific Kerberos versions.  If people are
>>>>> okay with merging such code, then I guess this is fine; I would
>>>>> personally not do so because there is not a clear point at which it can
>>>>> be removed.  At the very least, we should wait until we see what
>>>>> versions of krb5 MIT is going to fix.
>>>>>
>>>>> Otherwise, looks good.
>>>>>
>>>>> [0]: https://github.com/pythongssapi/python-gssapi/issues/79
>>>>>
>>>>
>>>> python-krbV migration is blocking support for Python 3. The bug
>>>> doesn't have any fix upstream yet and there are two bugs actually, the
>>>> second one is in python-gssapi, which I've just reported [1]. Waiting
>>>> for two bugs to be fixed could be detrimental to py3 migration as we
>>>> don't have much time left. And I'm no longer sure that display_as
>>>
>>> I don't buy this.
>>>
>>> We have plenty of time for solving these bugs. Remember, that Samba
>>> DCE RPC bindings aren't migrated to Python 3 either and will not be
>>> before release of Samba 4.4. For Samba 4.3 it is simply too late.
>>>
>>> So we are still far away from full Python3 migration for FreeIPA and
>>> waiting for solving these two bugs is OK.
>>
>> If fixing them solves anything at all. I planned to use
>> display_as(NameType.user), but when trying it on Name object with
>> name_type set (which doesn't trigger the segfault), it doesn't seem to
>> work either. I get:
>> gssapi.raw.exceptions.OperationUnavailableError: Major (1048576): The
>> operation or option is not available or unsupported, Minor (0): Unknown
>> error
>>
>> Robbie, can you clarify whether display_as could be actually used to get
>> the first component of the principal reliably?

display_as should behave in accordance with its docs; anything else is a
bug report, which you filed.  I don't know what you're asking me for
beyond that.

> As I have written in the other thread, we use "principal.split('@')" in 
> other parts of IPA, so "principal.partition('@')" should be OK as well.
>
> This patch works for me, so ACK.
>
> Unless there are any further objections, I would like to push it.

I think the newest iteration of this

> user = api.Command.user_show(principal.partition('@')[0].partition('/')[0])['result']

is even worse, but if it is decided to merge, then hopefully we can be
rid of it quickly.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150825/15053911/attachment.sig>