[Freeipa-devel] [PATCHES 0015-0019] changes to the way host TGT is obtained using keytab
Jan Cholasta
jcholast at redhat.com
Fri Mar 6 13:08:03 UTC 2015
Hi Martin,
Dne 6.3.2015 v 13:05 Martin Babinsky napsal(a):
> This series of patches for the master/4.1 branch attempts to implement
> some of the Rob's and Petr Vobornik's ideas which originated from a
> discussion on this list regarding my original patch fixing
> https://fedorahosted.org/freeipa/ticket/4808.
>
> I suppose that these patches are just a first iteration, we may further
> discuss if this is the right thing to do.
>
> Below is a quote from the original discussion just to get the context:
1) Why 5 patches for 2 changes (kinit_hostprincipal instead of exec
kinit, ipa-client-install --kinit-attempts)?
2) IMO a for loop would be better than an infinite while loop:
for attempt in range(attempts):
try:
# kinit
...
except krbV.Krb5Error as e:
# kinit failed
...
else:
break
else:
# max attempts reached
...
3) I think it would be nice to support ccache types other than FILE.
4) I would prefer if you kept using the full ccache name returned from
kinit_hostprincipal when connecting to LDAP.
5) Given that the ccache path usually ends with "/ccache", I would
retain the old way of calling kinit_hostprincipal. You can do something
like this to support all of the above:
def kinit_hostprincipal(keytab, ccache_file, principal, attempts=1):
if os.path.isdir(ccache_file):
ccache_file = os.path.join(ccache_file, 'ccache')
...
return ccache_file
(You don't need to prepend "FILE:", as it is the default ccache type.)
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list