<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 08/26/2014 11:43 AM, Yago Fernández
Pinilla wrote:<br>
</div>
<blockquote
cite="mid:CA+1Ahm1x5CcaDcWOxyucyPQ89pa999riT8T+ZJymwwbqReoL0A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>I have checked what you told me.<br>
<br>
</div>
What I would like to do is: having a user and a password,
authenticate against the kerberos server using a python
script (not using kinit) and then be able to access to the
ticket that is returned back by kerberos.<br>
</div>
</div>
</div>
</blockquote>
<br>
Access by what?<br>
Can you please describe a full flow as you see it?<br>
<br>
<blockquote
cite="mid:CA+1Ahm1x5CcaDcWOxyucyPQ89pa999riT8T+ZJymwwbqReoL0A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<br>
</div>
<div>User -----> Service ------> Kerberos<br>
<br>
</div>
<div>The user sends user and password the first time to
authenticate and then the ticket.<br>
</div>
<div>I know that this can look a bit weird but in the
environment that I'm working on i need this.<br>
<br>
</div>
<div>Any idea how can I do this? I have checked many libraries
in Python but they don't seem like having what i need.<br>
<br>
</div>
<div>Thanks in advance<br>
<br>
</div>
<div>Yago<br>
</div>
<div><br>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Aug 26, 2014 at 9:37 AM, Yago
Fernández Pinilla <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:yagofp8@gmail.com"
target="_blank">yagofp8@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>Thanks for the info!<br>
<br>
</div>
I will work more on this and comment my progress <br>
<br>
</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Aug 25, 2014 at 5:48
PM, Rob Crittenden <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>Yago Fernández Pinilla wrote:<br>
> I'm using FreeIpa 3.3.5. And according to
what I saw, using the API,<br>
> seems to be the best option.<br>
><br>
> For the time being I just want to request
tickets and check tickets.<br>
><br>
> Is that possible?<br>
> .<br>
<br>
</div>
I'm still not sure what it is you're trying to do.<br>
<br>
It's important to remember that IPA isn't a server
itself, it is a<br>
collection of services configured to work together
towards a common goal<br>
(centralized identity). What we add is a
management framework on top to<br>
(hopefully) make things easier. This is what our
API does, helps you<br>
manage users, groups, etc.<br>
<br>
A ticket is a Kerberos concept and you would
obtain it directly from the<br>
KDC. The IPA API is not involved in that case.<br>
<br>
If that is what you want to do then it involves
the python-krbV package<br>
which is difficult at best to use and doesn't
implement the entire<br>
Kerberos stack. You can though do the equivalent
of a kinit using a<br>
keytab doing something like:<br>
<br>
import krbV<br>
from ipalib import api<br>
<br>
api.bootstrap(context='test')<br>
api.finalize()<br>
<br>
ccache_file = '<a class="moz-txt-link-freetext" href="FILE:/tmp/host_ccache">FILE:/tmp/host_ccache</a>'<br>
krbcontext = krbV.default_context()<br>
principal = str('host/%s@%s' % (api.env.host,
api.env.realm))<br>
keytab = krbV.Keytab(name='/etc/krb5.keytab',
context=krbcontext)<br>
principal = krbV.Principal(name=principal,
context=krbcontext)<br>
os.environ['KRB5CCNAME'] = ccache_file<br>
ccache = krbV.CCache(name=ccache_file,
context=krbcontext,<br>
primary_principal=principal)<br>
ccache.init(principal)<br>
cache.init_creds_keytab(keytab=keytab,
principal=principal)<br>
<br>
You'll definitely want to do something differently
with the ccache file<br>
than I'm showing here.<br>
<br>
I threw in IPA client initialization here so you
could use this to<br>
prepare to do IPA API calls.<br>
<br>
rob<br>
<div><br>
><br>
><br>
> On Mon, Aug 25, 2014 at 3:49 PM, Rob
Crittenden <<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a><br>
</div>
<div>> <mailto:<a moz-do-not-send="true"
href="mailto:rcritten@redhat.com"
target="_blank">rcritten@redhat.com</a>>>
wrote:<br>
><br>
> Yago Fernández Pinilla wrote:<br>
> > I want to integrate it in other
service. Is there any good<br>
> documentation<br>
> > about the APIs?<br>
><br>
> We really need more details in order to
help you.<br>
><br>
> The API for IPA is not documented
though once you get the patterns down<br>
> it is fairly straightforward.<br>
><br>
> This of course is a completely separate
issue of kinit in python. What<br>
> release of IPA on which distro(s) are
you looking at?<br>
><br>
> rob<br>
><br>
> ><br>
> > Thanks in advance<br>
> ><br>
> ><br>
> > On Mon, Aug 25, 2014 at 3:08 PM,
Jakub Hrozek <<a moz-do-not-send="true"
href="mailto:jhrozek@redhat.com"
target="_blank">jhrozek@redhat.com</a><br>
> <mailto:<a moz-do-not-send="true"
href="mailto:jhrozek@redhat.com"
target="_blank">jhrozek@redhat.com</a>><br>
</div>
<div>> > <mailto:<a
moz-do-not-send="true"
href="mailto:jhrozek@redhat.com"
target="_blank">jhrozek@redhat.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:jhrozek@redhat.com"
target="_blank">jhrozek@redhat.com</a>>>>
wrote:<br>
> ><br>
> > On Mon, Aug 25, 2014 at
02:43:00PM +0200, Yago Fernández<br>
> Pinilla wrote:<br>
> > > Hi,<br>
> > ><br>
> > > I would like to create a
script in python that does the same<br>
> that<br>
> > kinit, I<br>
> > > don´t where to start.<br>
> ><br>
> > Why do you need this?<br>
> ><br>
> > --<br>
> > Manage your subscription for
the Freeipa-users mailing list:<br>
> > <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
> > Go To <a
moz-do-not-send="true"
href="http://freeipa.org" target="_blank">http://freeipa.org</a>
for more info on the project<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > --<br>
> > Yago Fernández Pinilla<br>
> > e-mail: <a moz-do-not-send="true"
href="mailto:yagofp8@gmail.com"
target="_blank">yagofp8@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:yagofp8@gmail.com"
target="_blank">yagofp8@gmail.com</a>><br>
</div>
> <mailto:<a moz-do-not-send="true"
href="mailto:yagofp8@gmail.com" target="_blank">yagofp8@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:yagofp8@gmail.com" target="_blank">yagofp8@gmail.com</a>>><br>
> ><br>
> ><br>
> ><br>
><br>
><br>
><br>
<span><font color="#888888">><br>
> --<br>
> Yago Fernández Pinilla<br>
> e-mail: <a moz-do-not-send="true"
href="mailto:yagofp8@gmail.com"
target="_blank">yagofp8@gmail.com</a>
<mailto:<a moz-do-not-send="true"
href="mailto:yagofp8@gmail.com"
target="_blank">yagofp8@gmail.com</a>><br>
><br>
<br>
</font></span></blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
Yago Fernández Pinilla<br>
e-mail: <a moz-do-not-send="true"
href="mailto:yagofp8@gmail.com" target="_blank">yagofp8@gmail.com</a><br>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
Yago Fernández Pinilla<br>
e-mail: <a moz-do-not-send="true"
href="mailto:yagofp8@gmail.com">yagofp8@gmail.com</a><br>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>