<div dir="ltr"><div><div>Hello,<br><br> Would you mind formatting your patch following the format described at <a href="http://www.freeipa.org/page/Contribute/Patch_Format" target="_blank">http://www.freeipa.org/page/Contribute/Patch_Format</a> and attach the patch to this thread? Please attach your patch to the corresponding trac ticket as well.<br><br></div>thanks,<br><br></div>Gabe<br><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 21, 2015 at 7:26 AM, Michael Simacek <span dir="ltr"><<a href="mailto:msimacek@redhat.com" target="_blank">msimacek@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div>----- Original Message -----<br>
> From: "Christian Heimes" <<a href="mailto:cheimes@redhat.com" target="_blank">cheimes@redhat.com</a>><br>
> To: <a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>, <a href="mailto:msimacek@redhat.com" target="_blank">msimacek@redhat.com</a><br>
> Sent: Tuesday, July 21, 2015 2:23:06 PM<br>
> Subject: Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi<br>
><br>
> On 2015-07-21 14:02, Michael Simacek wrote:<br>
> > Hi,<br>
> ><br>
> > This is a first part of my effort to port FreeIPA from Python3-incompatible<br>
> > Kerberos libraries to python-gssapi. This patch should replace<br>
> > python-kerberos<br>
> > with python-gssapi (both use C GSSAPI behind the scenes).<br>
><br>
> > def _handle_exception(self, e, service=None):<br>
> > - (major, minor) = ipautil.get_gsserror(e)<br>
> > - if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:<br>
> > + # kerberos library coerced error codes to signed, gssapi uses<br>
> > unsigned<br>
> > + minor = e.min_code - (1 << 32)<br>
> > + if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:<br>
><br>
> The unsigned to sign conversion is not correct. Although it doesn't make<br>
> a difference here, please use the technical correct way:<br>
><br>
> minor = e.min_code<br>
> if minor & (1 << 31):<br>
> minor -= 1 << 32<br>
><br>
> or if you prefer hex:<br>
><br>
> if minor & 0x80000000:<br>
> minor -= 0x100000000<br>
><br>
<br>
</div></div>Fixed, thank you. Hopefully, when FreeIPA will use python-gssapi<br>
everywhere, such coercions won't be needed.<br>
<br>
--<br>
Michael Simacek<br>
<br>
<br>
<br>
>From c59cadae8d461aa0c771cb56a34d53c9533a4248 Mon Sep 17 00:00:00 2001<br>
<span>From: Michael Simacek <<a href="mailto:msimacek@redhat.com" target="_blank">msimacek@redhat.com</a>><br>
Date: Thu, 16 Jul 2015 18:22:00 +0200<br>
Subject: [PATCH] Port from python-kerberos library to python-gssapi<br>
<br>
kerberos library doesn't support Python 3 and probably never will.<br>
python-gssapi library is Python 3 compatible.<br>
---<br>
BUILD.txt | 2 +-<br>
<a href="http://freeipa.spec.in" rel="noreferrer" target="_blank">freeipa.spec.in</a> | 2 +-<br>
</span> ipalib/rpc.py | 44 +++++++++++++++++++++++---------------------<br>
<span> ipalib/util.py | 14 +++++++-------<br>
ipapython/ipautil.py | 17 -----------------<br>
</span> 5 files changed, 32 insertions(+), 47 deletions(-)<br>
<div><div><br>
diff --git a/BUILD.txt b/BUILD.txt<br>
index 6a28beb..53012b1 100644<br>
--- a/BUILD.txt<br>
+++ b/BUILD.txt<br>
@@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel libtalloc-devel \<br>
libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel \<br>
krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \<br>
autoconf automake m4 libtool gettext python-devel python-ldap \<br>
-python-setuptools python-krbV python-nss python-netaddr python-kerberos \<br>
+python-setuptools python-krbV python-nss python-netaddr python-gssapi \<br>
python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python python-memcached \<br>
sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \<br>
check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \<br>
diff --git a/<a href="http://freeipa.spec.in" rel="noreferrer" target="_blank">freeipa.spec.in</a> b/<a href="http://freeipa.spec.in" rel="noreferrer" target="_blank">freeipa.spec.in</a><br>
index fef20e1..5e10022 100644<br>
--- a/<a href="http://freeipa.spec.in" rel="noreferrer" target="_blank">freeipa.spec.in</a><br>
+++ b/<a href="http://freeipa.spec.in" rel="noreferrer" target="_blank">freeipa.spec.in</a><br>
@@ -72,7 +72,7 @@ BuildRequires: python-krbV<br>
BuildRequires: python-nss<br>
BuildRequires: python-cryptography<br>
BuildRequires: python-netaddr<br>
-BuildRequires: python-kerberos >= 1.1-14<br>
+BuildRequires: python-gssapi >= 1.1.1<br>
BuildRequires: python-rhsm<br>
BuildRequires: pyOpenSSL<br>
BuildRequires: pylint >= 1.0<br>
diff --git a/ipalib/rpc.py b/ipalib/rpc.py<br>
</div></div>index 466b49a..9e8c97d 100644<br>
<span>--- a/ipalib/rpc.py<br>
+++ b/ipalib/rpc.py<br>
@@ -44,7 +44,7 @@ from urllib2 import urlparse<br>
<br>
from xmlrpclib import (Binary, Fault, DateTime, dumps, loads, ServerProxy,<br>
Transport, ProtocolError, MININT, MAXINT)<br>
-import kerberos<br>
+import gssapi<br>
from dns import resolver, rdatatype<br>
from dns.exception import DNSException<br>
from nss.error import NSPRError<br>
</span>@@ -510,24 +510,29 @@ class KerbTransport(SSLTransport):<br>
<span> """<br>
Handles Kerberos Negotiation authentication to an XML-RPC server.<br>
"""<br>
- flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG<br>
+ flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag,<br>
+ [gssapi.RequirementFlag.mutual_authentication,<br>
+ gssapi.RequirementFlag.out_of_sequence_detection])<br>
<br>
</span><span> def _handle_exception(self, e, service=None):<br>
- (major, minor) = ipautil.get_gsserror(e)<br>
- if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:<br>
+ # kerberos library coerced error codes to signed, gssapi uses unsigned<br>
+ minor = e.min_code<br>
</span>+ if minor & (1 << 31):<br>
+ minor -= 1 << 32<br>
<span>+ if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:<br>
</span><span> raise errors.ServiceError(service=service)<br>
- elif minor[1] == KRB5_FCC_NOFILE:<br>
+ elif minor == KRB5_FCC_NOFILE:<br>
raise errors.NoCCacheError()<br>
- elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED:<br>
+ elif minor == KRB5KRB_AP_ERR_TKT_EXPIRED:<br>
raise errors.TicketExpired()<br>
- elif minor[1] == KRB5_FCC_PERM:<br>
+ elif minor == KRB5_FCC_PERM:<br>
raise errors.BadCCachePerms()<br>
- elif minor[1] == KRB5_CC_FORMAT:<br>
+ elif minor == KRB5_CC_FORMAT:<br>
raise errors.BadCCacheFormat()<br>
- elif minor[1] == KRB5_REALM_CANT_RESOLVE:<br>
+ elif minor == KRB5_REALM_CANT_RESOLVE:<br>
raise errors.CannotResolveKDC()<br>
else:<br>
- raise errors.KerberosError(major=major, minor=minor)<br>
+ raise errors.KerberosError(major=e.maj_code, minor=minor)<br>
<br>
def get_host_info(self, host):<br>
"""<br>
</span>@@ -548,14 +553,9 @@ class KerbTransport(SSLTransport):<br>
<span> service = "HTTP@" + host.split(':')[0]<br>
<br>
try:<br>
- (rc, vc) = kerberos.authGSSClientInit(service=service,<br>
- gssflags=self.flags)<br>
- except kerberos.GSSError, e:<br>
- self._handle_exception(e)<br>
-<br>
- try:<br>
- kerberos.authGSSClientStep(vc, "")<br>
- except kerberos.GSSError, e:<br>
+ name = gssapi.Name(service, gssapi.NameType.hostbased_service)<br>
+ response = gssapi.raw.init_sec_context(name, flags=self.flags).token<br>
+ except gssapi.exceptions.GSSError as e:<br>
self._handle_exception(e, service=service)<br>
<br>
for (h, v) in extra_headers:<br>
</span>@@ -564,7 +564,7 @@ class KerbTransport(SSLTransport):<br>
<span> break<br>
<br>
extra_headers.append(<br>
- ('Authorization', 'negotiate %s' % kerberos.authGSSClientResponse(vc))<br>
+ ('Authorization', 'negotiate %s' % base64.b64encode(response))<br>
)<br>
<br>
return (host, extra_headers, x509)<br>
</span>@@ -632,8 +632,10 @@ class DelegatedKerbTransport(KerbTransport):<br>
<div><div> Handles Kerberos Negotiation authentication and TGT delegation to an<br>
XML-RPC server.<br>
"""<br>
- flags = kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | \<br>
- kerberos.GSS_C_SEQUENCE_FLAG<br>
+ flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag,<br>
+ [gssapi.RequirementFlag.delegate_to_peer,<br>
+ gssapi.RequirementFlag.mutual_authentication,<br>
+ gssapi.RequirementFlag.out_of_sequence_detection])<br>
<br>
<br>
class RPCClient(Connectible):<br>
diff --git a/ipalib/util.py b/ipalib/util.py<br>
index 649a487..aea3ba9 100644<br>
--- a/ipalib/util.py<br>
+++ b/ipalib/util.py<br>
@@ -63,15 +63,15 @@ def json_serialize(obj):<br>
<br>
def get_current_principal():<br>
try:<br>
- import kerberos<br>
- rc, vc = kerberos.authGSSClientInit("notempty")<br>
- rc = kerberos.authGSSClientInquireCred(vc)<br>
- username = kerberos.authGSSClientUserName(vc)<br>
- kerberos.authGSSClientClean(vc)<br>
+ import gssapi<br>
+ cred = gssapi.raw.acquire_cred(usage='initiate').creds<br>
+ name = gssapi.raw.inquire_cred(cred, lifetime=False, usage=False,<br>
+ mechs=False).name<br>
+ username = gssapi.raw.display_name(name, name_type=False).name<br>
return unicode(username)<br>
except ImportError:<br>
- raise RuntimeError('python-kerberos is not available.')<br>
- except kerberos.GSSError, e:<br>
+ raise RuntimeError('python-gssapi is not available.')<br>
+ except gssapi.exceptions.GSSError:<br>
#TODO: do a kinit?<br>
raise errors.CCacheError()<br>
<br>
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py<br>
index 88e8970..05a7eeb 100644<br>
--- a/ipapython/ipautil.py<br>
+++ b/ipapython/ipautil.py<br>
@@ -783,23 +783,6 @@ def user_input(prompt, default = None, allow_empty = True):<br>
return ret<br>
<br>
<br>
-def get_gsserror(e):<br>
- """<br>
- A GSSError exception looks differently in python 2.4 than it does<br>
- in python 2.5. Deal with it.<br>
- """<br>
-<br>
- try:<br>
- major = e[0]<br>
- minor = e[1]<br>
- except:<br>
- major = e[0][0]<br>
- minor = e[0][1]<br>
-<br>
- return (major, minor)<br>
-<br>
-<br>
-<br>
def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=None):<br>
for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket_type):<br>
af, socktype, proto, canonname, sa = res<br>
--<br>
2.1.0<br>
<br>
--<br>
Manage your subscription for the Freeipa-devel mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br>
Contribute to FreeIPA: <a href="http://www.freeipa.org/page/Contribute/Code" rel="noreferrer" target="_blank">http://www.freeipa.org/page/Contribute/Code</a><br>
</div></div></blockquote></div><br></div></div></div></div>