[Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code

Petr Spacek pspacek at redhat.com
Tue Mar 17 11:09:04 UTC 2015 

On 16.3.2015 17:20, Martin Babinsky wrote:
> On 03/16/2015 01:35 PM, Jan Cholasta wrote:
>> Dne 16.3.2015 v 13:30 Martin Babinsky napsal(a):
>>> On 03/16/2015 12:15 PM, Martin Kosek wrote:
>>>> On 03/13/2015 05:37 PM, Martin Babinsky wrote:
>>>>> Attaching the next iteration of patches.

Very good! I hopefully have last two nitpicks :-) See below.

> diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
> index 4116d974e620341119b56fad3cff1bda48af3bab..cd03e9fd17b60b8b7324d0ccd436a10f7556baf0 100644
> --- a/ipapython/ipautil.py
> +++ b/ipapython/ipautil.py
> @@ -1175,27 +1175,61 @@ def wait_for_open_socket(socket_name, timeout=0):
>              else:
>                  raise e
>  
> -def kinit_hostprincipal(keytab, ccachedir, principal):
> +
> +def kinit_keytab(keytab, ccache_path, principal, attempts=1):
>      """
> -    Given a ccache directory and a principal kinit as that user.
> +    Given a ccache_path , keytab file and a principal kinit as that user.
> +
> +    The optional parameter 'attempts' specifies how many times the credential
> +    initialization should be attempted before giving up and raising
> +    StandardError.
>  
>      This blindly overwrites the current CCNAME so if you need to save
>      it do so before calling this function.
>  
> +    This function is also not thread-safe since it modifies environment
> +    variables.
> +
>      Thus far this is used to kinit as the local host.

This note can be deleted because it is used elsewhere too.

>      """
> -    try:
> -        ccache_file = 'FILE:%s/ccache' % ccachedir
> -        krbcontext = krbV.default_context()
> -        ktab = krbV.Keytab(name=keytab, context=krbcontext)
> -        princ = krbV.Principal(name=principal, context=krbcontext)
> -        os.environ['KRB5CCNAME'] = ccache_file
> -        ccache = krbV.CCache(name=ccache_file, context=krbcontext, primary_principal=princ)
> -        ccache.init(princ)
> -        ccache.init_creds_keytab(keytab=ktab, principal=princ)
> -        return ccache_file
> -    except krbV.Krb5Error, e:
> -        raise StandardError('Error initializing principal %s in %s: %s' % (principal, keytab, str(e)))
> +    root_logger.debug("Initializing principal %s using keytab %s"
> +                      % (principal, keytab))

I'm sorry for nitpicking but it would be nice to log ccache_file too. Krb5
libs return quite weird errors when CC cache is not accessible so it helps to
have the path at hand.

-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list