[Freeipa-users] Custom kinit

Yago Fernández Pinilla yagofp8 at gmail.com
Tue Aug 26 09:43:20 UTC 2014 

I have checked what you told me.

What I would like to do is: having a user and a password, authenticate
against the kerberos server using a python script (not using kinit) and
then be able to access to the ticket that is returned back by kerberos.

User -----> Service  ------> Kerberos

The user sends user and password the first time to authenticate and then
the ticket.
I know that this can look a bit weird but in the environment that I'm
working on i need this.

Any idea how can I do this? I have checked many libraries in Python but
they don't seem like having what i need.

Thanks in advance

Yago



On Tue, Aug 26, 2014 at 9:37 AM, Yago Fernández Pinilla <yagofp8 at gmail.com>
wrote:

> Thanks for the info!
>
> I will work more on this and comment my progress
>
>
>
> On Mon, Aug 25, 2014 at 5:48 PM, Rob Crittenden <rcritten at redhat.com>
> wrote:
>
>> Yago Fernández Pinilla wrote:
>> > I'm using FreeIpa 3.3.5. And according to what I saw, using the API,
>> > seems to be the best option.
>> >
>> > For the time being I just want to request tickets and check tickets.
>> >
>> > Is that possible?
>> > .
>>
>> I'm still not sure what it is you're trying to do.
>>
>> It's important to remember that IPA isn't a server itself, it is a
>> collection of services configured to work together towards a common goal
>> (centralized identity). What we add is a management framework on top to
>> (hopefully) make things easier. This is what our API does, helps you
>> manage users, groups, etc.
>>
>> A ticket is a Kerberos concept and you would obtain it directly from the
>> KDC. The IPA API is not involved in that case.
>>
>> If that is what you want to do then it involves the python-krbV package
>> which is difficult at best to use and doesn't implement the entire
>> Kerberos stack. You can though do the equivalent of a kinit using a
>> keytab doing something like:
>>
>> import krbV
>> from ipalib import api
>>
>> api.bootstrap(context='test')
>> api.finalize()
>>
>> ccache_file = 'FILE:/tmp/host_ccache'
>> krbcontext = krbV.default_context()
>> principal = str('host/%s@%s' % (api.env.host, api.env.realm))
>> keytab = krbV.Keytab(name='/etc/krb5.keytab', context=krbcontext)
>> principal = krbV.Principal(name=principal, context=krbcontext)
>> os.environ['KRB5CCNAME'] = ccache_file
>> ccache = krbV.CCache(name=ccache_file, context=krbcontext,
>>     primary_principal=principal)
>> ccache.init(principal)
>> cache.init_creds_keytab(keytab=keytab, principal=principal)
>>
>> You'll definitely want to do something differently with the ccache file
>> than I'm showing here.
>>
>> I threw in IPA client initialization here so you could use this to
>> prepare to do IPA API calls.
>>
>> rob
>>
>> >
>> >
>> > On Mon, Aug 25, 2014 at 3:49 PM, Rob Crittenden <rcritten at redhat.com
>> > <mailto:rcritten at redhat.com>> wrote:
>> >
>> >     Yago Fernández Pinilla wrote:
>> >     > I want to integrate it in other service. Is there any good
>> >     documentation
>> >     > about the APIs?
>> >
>> >     We really need more details in order to help you.
>> >
>> >     The API for IPA is not documented though once you get the patterns
>> down
>> >     it is fairly straightforward.
>> >
>> >     This of course is a completely separate issue of kinit in python.
>> What
>> >     release of IPA on which distro(s) are you looking at?
>> >
>> >     rob
>> >
>> >     >
>> >     > Thanks in advance
>> >     >
>> >     >
>> >     > On Mon, Aug 25, 2014 at 3:08 PM, Jakub Hrozek <jhrozek at redhat.com
>> >     <mailto:jhrozek at redhat.com>
>> >     > <mailto:jhrozek at redhat.com <mailto:jhrozek at redhat.com>>> wrote:
>> >     >
>> >     >     On Mon, Aug 25, 2014 at 02:43:00PM +0200, Yago Fernández
>> >     Pinilla wrote:
>> >     >     > Hi,
>> >     >     >
>> >     >     > I would like to create a script in python that does the same
>> >     that
>> >     >     kinit, I
>> >     >     > don´t where to start.
>> >     >
>> >     >     Why do you need this?
>> >     >
>> >     >     --
>> >     >     Manage your subscription for the Freeipa-users mailing list:
>> >     >     https://www.redhat.com/mailman/listinfo/freeipa-users
>> >     >     Go To http://freeipa.org for more info on the project
>> >     >
>> >     >
>> >     >
>> >     >
>> >     > --
>> >     > Yago Fernández Pinilla
>> >     > e-mail: yagofp8 at gmail.com <mailto:yagofp8 at gmail.com>
>> >     <mailto:yagofp8 at gmail.com <mailto:yagofp8 at gmail.com>>
>> >     >
>> >     >
>> >     >
>> >
>> >
>> >
>> >
>> > --
>> > Yago Fernández Pinilla
>> > e-mail: yagofp8 at gmail.com <mailto:yagofp8 at gmail.com>
>> >
>>
>>
>
>
> --
> Yago Fernández Pinilla
> e-mail: yagofp8 at gmail.com
>
>


-- 
Yago Fernández Pinilla
e-mail: yagofp8 at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140826/1d7ac201/attachment.htm>

More information about the Freeipa-users mailing list