[Freeipa-devel] [PATCH] Port from python-kerberos library to python-gssapi
Robbie Harwood
rharwood at redhat.com
Tue Jul 21 17:59:26 UTC 2015
Michael Simacek <msimacek at redhat.com> writes:
> This is a first part of my effort to port FreeIPA from Python3-incompatible
> Kerberos libraries to python-gssapi. This patch should replace python-kerberos
> with python-gssapi (both use C GSSAPI behind the scenes).
Okay, Solly and I went through this again, and there might be a problem.
> @@ -548,14 +551,9 @@ class KerbTransport(SSLTransport):
> service = "HTTP@" + host.split(':')[0]
>
> try:
> - (rc, vc) = kerberos.authGSSClientInit(service=service,
> - gssflags=self.flags)
> - except kerberos.GSSError, e:
> - self._handle_exception(e)
> -
> - try:
> - kerberos.authGSSClientStep(vc, "")
> - except kerberos.GSSError, e:
> + name = gssapi.Name(service, gssapi.NameType.hostbased_service)
> + response = gssapi.raw.init_sec_context(name, flags=self.flags).token
> + except gssapi.exceptions.GSSError as e:
> self._handle_exception(e, service=service)
>
> for (h, v) in extra_headers:
> @@ -564,7 +562,7 @@ class KerbTransport(SSLTransport):
> break
>
> extra_headers.append(
> - ('Authorization', 'negotiate %s' % kerberos.authGSSClientResponse(vc))
> + ('Authorization', 'negotiate %s' % base64.b64encode(response))
> )
If you call init_sec_context, the token returned may be an error token,
and the error will be deferred until the next use of the context. This
behavior can be turned off by setting __DEFER_STEP_ERRORS__ to false on
the class.
More information:
https://pythonhosted.org/gssapi/gssapi.html#gssapi.sec_contexts.SecurityContext.step
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150721/2358164e/attachment.sig>
More information about the Freeipa-devel
mailing list