[Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code

Martin Babinsky mbabinsk at redhat.com
Tue Mar 17 15:51:14 UTC 2015 

On 03/17/2015 12:09 PM, Petr Spacek wrote:
> On 16.3.2015 17:20, Martin Babinsky wrote:
>> On 03/16/2015 01:35 PM, Jan Cholasta wrote:
>>> Dne 16.3.2015 v 13:30 Martin Babinsky napsal(a):
>>>> On 03/16/2015 12:15 PM, Martin Kosek wrote:
>>>>> On 03/13/2015 05:37 PM, Martin Babinsky wrote:
>>>>>> Attaching the next iteration of patches.
>
> Very good! I hopefully have last two nitpicks :-) See below.
>
>> diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
>> index 4116d974e620341119b56fad3cff1bda48af3bab..cd03e9fd17b60b8b7324d0ccd436a10f7556baf0 100644
>> --- a/ipapython/ipautil.py
>> +++ b/ipapython/ipautil.py
>> @@ -1175,27 +1175,61 @@ def wait_for_open_socket(socket_name, timeout=0):
>>               else:
>>                   raise e
>>
>> -def kinit_hostprincipal(keytab, ccachedir, principal):
>> +
>> +def kinit_keytab(keytab, ccache_path, principal, attempts=1):
>>       """
>> -    Given a ccache directory and a principal kinit as that user.
>> +    Given a ccache_path , keytab file and a principal kinit as that user.
>> +
>> +    The optional parameter 'attempts' specifies how many times the credential
>> +    initialization should be attempted before giving up and raising
>> +    StandardError.
>>
>>       This blindly overwrites the current CCNAME so if you need to save
>>       it do so before calling this function.
>>
>> +    This function is also not thread-safe since it modifies environment
>> +    variables.
>> +
>>       Thus far this is used to kinit as the local host.
>
> This note can be deleted because it is used elsewhere too.
>
>>       """
>> -    try:
>> -        ccache_file = 'FILE:%s/ccache' % ccachedir
>> -        krbcontext = krbV.default_context()
>> -        ktab = krbV.Keytab(name=keytab, context=krbcontext)
>> -        princ = krbV.Principal(name=principal, context=krbcontext)
>> -        os.environ['KRB5CCNAME'] = ccache_file
>> -        ccache = krbV.CCache(name=ccache_file, context=krbcontext, primary_principal=princ)
>> -        ccache.init(princ)
>> -        ccache.init_creds_keytab(keytab=ktab, principal=princ)
>> -        return ccache_file
>> -    except krbV.Krb5Error, e:
>> -        raise StandardError('Error initializing principal %s in %s: %s' % (principal, keytab, str(e)))
>> +    root_logger.debug("Initializing principal %s using keytab %s"
>> +                      % (principal, keytab))
>
> I'm sorry for nitpicking but it would be nice to log ccache_file too. Krb5
> libs return quite weird errors when CC cache is not accessible so it helps to
> have the path at hand.
>

Attaching updated patches.

-- 
Martin^3 Babinsky
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0015-5-ipautil-new-functions-kinit_keytab-and-kinit_passwor.patch
Type: text/x-patch
Size: 4231 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150317/673540f0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0016-4-ipa-client-install-try-to-get-host-TGT-several-times.patch
Type: text/x-patch
Size: 8821 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150317/673540f0/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mbabinsk-0017-4-Adopted-kinit_keytab-and-kinit_password-for-kerberos.patch
Type: text/x-patch
Size: 11866 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150317/673540f0/attachment-0002.bin>

More information about the Freeipa-devel mailing list