<div dir="ltr"><div><div>Hello,<br><br>       Would you mind formatting your patch following the format described at <a href="http://www.freeipa.org/page/Contribute/Patch_Format" target="_blank">http://www.freeipa.org/page/Contribute/Patch_Format</a> and attach the patch to this thread? Please attach your patch to the corresponding trac ticket as well.<br><br></div>thanks,<br><br></div>Gabe<br><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jul 21, 2015 at 7:26 AM, Michael Simacek <span dir="ltr"><<a href="mailto:msimacek@redhat.com" target="_blank">msimacek@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div>----- Original Message -----<br>
> From: "Christian Heimes" <<a href="mailto:cheimes@redhat.com" target="_blank">cheimes@redhat.com</a>><br>
> To: <a href="mailto:freeipa-devel@redhat.com" target="_blank">freeipa-devel@redhat.com</a>, <a href="mailto:msimacek@redhat.com" target="_blank">msimacek@redhat.com</a><br>
> Sent: Tuesday, July 21, 2015 2:23:06 PM<br>
> Subject: Re: [Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi<br>
><br>
> On 2015-07-21 14:02, Michael Simacek wrote:<br>
> > Hi,<br>
> ><br>
> > This is a first part of my effort to port FreeIPA from Python3-incompatible<br>
> > Kerberos libraries to python-gssapi. This patch should replace<br>
> > python-kerberos<br>
> > with python-gssapi (both use C GSSAPI behind the scenes).<br>
><br>
> >      def _handle_exception(self, e, service=None):<br>
> > -        (major, minor) = ipautil.get_gsserror(e)<br>
> > -        if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:<br>
> > +        # kerberos library coerced error codes to signed, gssapi uses<br>
> > unsigned<br>
> > +        minor = e.min_code - (1 << 32)<br>
> > +        if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:<br>
><br>
> The unsigned to sign conversion is not correct. Although it doesn't make<br>
> a difference here, please use the technical correct way:<br>
><br>
> minor = e.min_code<br>
> if minor & (1 << 31):<br>
>     minor -= 1 << 32<br>
><br>
> or if you prefer hex:<br>
><br>
> if minor & 0x80000000:<br>
>     minor -= 0x100000000<br>
><br>
<br>
</div></div>Fixed, thank you. Hopefully, when FreeIPA will use python-gssapi<br>
everywhere, such coercions won't be needed.<br>
<br>
--<br>
Michael Simacek<br>
<br>
<br>
<br>
>From c59cadae8d461aa0c771cb56a34d53c9533a4248 Mon Sep 17 00:00:00 2001<br>
<span>From: Michael Simacek <<a href="mailto:msimacek@redhat.com" target="_blank">msimacek@redhat.com</a>><br>
Date: Thu, 16 Jul 2015 18:22:00 +0200<br>
Subject: [PATCH] Port from python-kerberos library to python-gssapi<br>
<br>
kerberos library doesn't support Python 3 and probably never will.<br>
python-gssapi library is Python 3 compatible.<br>
---<br>
 BUILD.txt            |  2 +-<br>
 <a href="http://freeipa.spec.in" rel="noreferrer" target="_blank">freeipa.spec.in</a>      |  2 +-<br>
</span> ipalib/rpc.py        | 44 +++++++++++++++++++++++---------------------<br>
<span> ipalib/util.py       | 14 +++++++-------<br>
 ipapython/ipautil.py | 17 -----------------<br>
</span> 5 files changed, 32 insertions(+), 47 deletions(-)<br>
<div><div><br>
diff --git a/BUILD.txt b/BUILD.txt<br>
index 6a28beb..53012b1 100644<br>
--- a/BUILD.txt<br>
+++ b/BUILD.txt<br>
@@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel libtalloc-devel \<br>
 libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel \<br>
 krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \<br>
 autoconf automake m4 libtool gettext python-devel python-ldap \<br>
-python-setuptools python-krbV python-nss python-netaddr python-kerberos \<br>
+python-setuptools python-krbV python-nss python-netaddr python-gssapi \<br>
 python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python python-memcached \<br>
 sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \<br>
 check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \<br>
diff --git a/<a href="http://freeipa.spec.in" rel="noreferrer" target="_blank">freeipa.spec.in</a> b/<a href="http://freeipa.spec.in" rel="noreferrer" target="_blank">freeipa.spec.in</a><br>
index fef20e1..5e10022 100644<br>
--- a/<a href="http://freeipa.spec.in" rel="noreferrer" target="_blank">freeipa.spec.in</a><br>
+++ b/<a href="http://freeipa.spec.in" rel="noreferrer" target="_blank">freeipa.spec.in</a><br>
@@ -72,7 +72,7 @@ BuildRequires:  python-krbV<br>
 BuildRequires:  python-nss<br>
 BuildRequires:  python-cryptography<br>
 BuildRequires:  python-netaddr<br>
-BuildRequires:  python-kerberos >= 1.1-14<br>
+BuildRequires:  python-gssapi >= 1.1.1<br>
 BuildRequires:  python-rhsm<br>
 BuildRequires:  pyOpenSSL<br>
 BuildRequires:  pylint >= 1.0<br>
diff --git a/ipalib/rpc.py b/ipalib/rpc.py<br>
</div></div>index 466b49a..9e8c97d 100644<br>
<span>--- a/ipalib/rpc.py<br>
+++ b/ipalib/rpc.py<br>
@@ -44,7 +44,7 @@ from urllib2 import urlparse<br>
<br>
 from xmlrpclib import (Binary, Fault, DateTime, dumps, loads, ServerProxy,<br>
         Transport, ProtocolError, MININT, MAXINT)<br>
-import kerberos<br>
+import gssapi<br>
 from dns import resolver, rdatatype<br>
 from dns.exception import DNSException<br>
 from nss.error import NSPRError<br>
</span>@@ -510,24 +510,29 @@ class KerbTransport(SSLTransport):<br>
<span>     """<br>
     Handles Kerberos Negotiation authentication to an XML-RPC server.<br>
     """<br>
-    flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG<br>
+    flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag,<br>
+                                  [gssapi.RequirementFlag.mutual_authentication,<br>
+                                   gssapi.RequirementFlag.out_of_sequence_detection])<br>
<br>
</span><span>     def _handle_exception(self, e, service=None):<br>
-        (major, minor) = ipautil.get_gsserror(e)<br>
-        if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:<br>
+        # kerberos library coerced error codes to signed, gssapi uses unsigned<br>
+        minor = e.min_code<br>
</span>+        if minor & (1 << 31):<br>
+            minor -= 1 << 32<br>
<span>+        if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:<br>
</span><span>             raise errors.ServiceError(service=service)<br>
-        elif minor[1] == KRB5_FCC_NOFILE:<br>
+        elif minor == KRB5_FCC_NOFILE:<br>
             raise errors.NoCCacheError()<br>
-        elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED:<br>
+        elif minor == KRB5KRB_AP_ERR_TKT_EXPIRED:<br>
             raise errors.TicketExpired()<br>
-        elif minor[1] == KRB5_FCC_PERM:<br>
+        elif minor == KRB5_FCC_PERM:<br>
             raise errors.BadCCachePerms()<br>
-        elif minor[1] == KRB5_CC_FORMAT:<br>
+        elif minor == KRB5_CC_FORMAT:<br>
             raise errors.BadCCacheFormat()<br>
-        elif minor[1] == KRB5_REALM_CANT_RESOLVE:<br>
+        elif minor == KRB5_REALM_CANT_RESOLVE:<br>
             raise errors.CannotResolveKDC()<br>
         else:<br>
-            raise errors.KerberosError(major=major, minor=minor)<br>
+            raise errors.KerberosError(major=e.maj_code, minor=minor)<br>
<br>
     def get_host_info(self, host):<br>
         """<br>
</span>@@ -548,14 +553,9 @@ class KerbTransport(SSLTransport):<br>
<span>         service = "HTTP@" + host.split(':')[0]<br>
<br>
         try:<br>
-            (rc, vc) = kerberos.authGSSClientInit(service=service,<br>
-                                                  gssflags=self.flags)<br>
-        except kerberos.GSSError, e:<br>
-            self._handle_exception(e)<br>
-<br>
-        try:<br>
-            kerberos.authGSSClientStep(vc, "")<br>
-        except kerberos.GSSError, e:<br>
+            name = gssapi.Name(service, gssapi.NameType.hostbased_service)<br>
+            response = gssapi.raw.init_sec_context(name, flags=self.flags).token<br>
+        except gssapi.exceptions.GSSError as e:<br>
             self._handle_exception(e, service=service)<br>
<br>
         for (h, v) in extra_headers:<br>
</span>@@ -564,7 +564,7 @@ class KerbTransport(SSLTransport):<br>
<span>                 break<br>
<br>
         extra_headers.append(<br>
-            ('Authorization', 'negotiate %s' % kerberos.authGSSClientResponse(vc))<br>
+            ('Authorization', 'negotiate %s' % base64.b64encode(response))<br>
         )<br>
<br>
         return (host, extra_headers, x509)<br>
</span>@@ -632,8 +632,10 @@ class DelegatedKerbTransport(KerbTransport):<br>
<div><div>     Handles Kerberos Negotiation authentication and TGT delegation to an<br>
     XML-RPC server.<br>
     """<br>
-    flags = kerberos.GSS_C_DELEG_FLAG |  kerberos.GSS_C_MUTUAL_FLAG | \<br>
-            kerberos.GSS_C_SEQUENCE_FLAG<br>
+    flags = gssapi.IntEnumFlagSet(gssapi.RequirementFlag,<br>
+                                  [gssapi.RequirementFlag.delegate_to_peer,<br>
+                                   gssapi.RequirementFlag.mutual_authentication,<br>
+                                   gssapi.RequirementFlag.out_of_sequence_detection])<br>
<br>
<br>
 class RPCClient(Connectible):<br>
diff --git a/ipalib/util.py b/ipalib/util.py<br>
index 649a487..aea3ba9 100644<br>
--- a/ipalib/util.py<br>
+++ b/ipalib/util.py<br>
@@ -63,15 +63,15 @@ def json_serialize(obj):<br>
<br>
 def get_current_principal():<br>
     try:<br>
-        import kerberos<br>
-        rc, vc = kerberos.authGSSClientInit("notempty")<br>
-        rc = kerberos.authGSSClientInquireCred(vc)<br>
-        username = kerberos.authGSSClientUserName(vc)<br>
-        kerberos.authGSSClientClean(vc)<br>
+        import gssapi<br>
+        cred = gssapi.raw.acquire_cred(usage='initiate').creds<br>
+        name = gssapi.raw.inquire_cred(cred, lifetime=False, usage=False,<br>
+                                       mechs=False).name<br>
+        username = gssapi.raw.display_name(name, name_type=False).name<br>
         return unicode(username)<br>
     except ImportError:<br>
-        raise RuntimeError('python-kerberos is not available.')<br>
-    except kerberos.GSSError, e:<br>
+        raise RuntimeError('python-gssapi is not available.')<br>
+    except gssapi.exceptions.GSSError:<br>
         #TODO: do a kinit?<br>
         raise errors.CCacheError()<br>
<br>
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py<br>
index 88e8970..05a7eeb 100644<br>
--- a/ipapython/ipautil.py<br>
+++ b/ipapython/ipautil.py<br>
@@ -783,23 +783,6 @@ def user_input(prompt, default = None, allow_empty = True):<br>
                 return ret<br>
<br>
<br>
-def get_gsserror(e):<br>
-    """<br>
-    A GSSError exception looks differently in python 2.4 than it does<br>
-    in python 2.5. Deal with it.<br>
-    """<br>
-<br>
-    try:<br>
-       major = e[0]<br>
-       minor = e[1]<br>
-    except:<br>
-       major = e[0][0]<br>
-       minor = e[0][1]<br>
-<br>
-    return (major, minor)<br>
-<br>
-<br>
-<br>
 def host_port_open(host, port, socket_type=socket.SOCK_STREAM, socket_timeout=None):<br>
     for res in socket.getaddrinfo(host, port, socket.AF_UNSPEC, socket_type):<br>
         af, socktype, proto, canonname, sa = res<br>
--<br>
2.1.0<br>
<br>
--<br>
Manage your subscription for the Freeipa-devel mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-devel" rel="noreferrer" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br>
Contribute to FreeIPA: <a href="http://www.freeipa.org/page/Contribute/Code" rel="noreferrer" target="_blank">http://www.freeipa.org/page/Contribute/Code</a><br>
</div></div></blockquote></div><br></div></div></div></div>