[Freeipa-devel] [PATCHES 0015-0019] changes to the way host TGT is obtained using keytab

Fri Mar 6 13:08:03 UTC 2015

Hi Martin,

Dne 6.3.2015 v 13:05 Martin Babinsky napsal(a):
> This series of patches for the master/4.1 branch attempts to implement
> some of the Rob's and Petr Vobornik's ideas which originated from a
> discussion on this list regarding my original patch fixing
> https://fedorahosted.org/freeipa/ticket/4808.
>
> I suppose that these patches are just a first iteration, we may further
> discuss if this is the right thing to do.
>
> Below is a quote from the original discussion just to get the context:

1) Why 5 patches for 2 changes (kinit_hostprincipal instead of exec 
kinit, ipa-client-install --kinit-attempts)?

2) IMO a for loop would be better than an infinite while loop:

     for attempt in range(attempts):
         try:
             # kinit
             ...
         except krbV.Krb5Error as e:
             # kinit failed
             ...
         else:
             break
     else:
         # max attempts reached
         ...

3) I think it would be nice to support ccache types other than FILE.

4) I would prefer if you kept using the full ccache name returned from 
kinit_hostprincipal when connecting to LDAP.

5) Given that the ccache path usually ends with "/ccache", I would 
retain the old way of calling kinit_hostprincipal. You can do something 
like this to support all of the above:

     def kinit_hostprincipal(keytab, ccache_file, principal, attempts=1):
         if os.path.isdir(ccache_file):
             ccache_file = os.path.join(ccache_file, 'ccache')
         ...
         return ccache_file

(You don't need to prepend "FILE:", as it is the default ccache type.)

Honza

-- 
Jan Cholasta