[Ovirt-devel] Re: [Freeipa-devel] freeipa cmdline tools failing
Rob Crittenden
rcritten at redhat.com
Fri Dec 12 05:09:07 UTC 2008
Perry Myers wrote:
> Simo,
>
> Follow up from the conversation we were having today on IRC in #ovirt
>
> So it looks like update to python-kerberos package broke freeipa...
>
> If I downgrade to python-kerberos-1.0-6.fc9.x86_64.rpm I can do:
>
>> [root at management ~]# ipa-finduser foo
>> No entries found for foo
>
> But if I upgrade to python-kerberos-1.1-1.fc10.x86_64.rpm I get:
>
>> [root at management ~]# ipa-finduser foo
>> Did not receive Kerberos credentials.
>
> Not sure if this is a problem with freeipa or python-kerberos... Could
> be they changed something (it wasn't a major version upgrade, but it was
> a 1.0 to 1.1 so likely they changed some interface and freeipa needs to
> be updated to work properly with it)
>
> Or could be that python-kerberos has a bug in it.
>
> In any case, if you could look try to replicate this let me know what
> you find out.
The problem is that PyKerberos doesn't support delegation.
python-kerberos 1.0 had a patch which set the delegation flag on every
request. A rather short-sighted fix, in retrospect.
A slightly better fix, which will also require a change in freeipa, is
attached. This adds an optional, unnamed argument to authGSSClientInit()
to request delegation. The new call signature looks like:
authGSSClientInit(service, False)
The fix for freeipa is to add a second argument, True, to
krbtransport.py, ~line 37. Should look something like this, minus proper
spacing:
rc, vc = kerberos.authGSSClientInit(service, True)
I suppose the best solution is to provide a mechanism to set whatever
flags one wants but my Python-to-C coding knowledge consists of about 10
minutes of reading the Python documentation so I'm not quite ready for
that :-)
This is briefly tested at best, so YMMV.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: delegate.patch
Type: text/x-patch
Size: 3517 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/ovirt-devel/attachments/20081212/e3e8cf00/attachment.bin>
More information about the ovirt-devel
mailing list