[Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
Petr Spacek
pspacek at redhat.com
Tue Mar 17 11:09:04 UTC 2015
On 16.3.2015 17:20, Martin Babinsky wrote:
> On 03/16/2015 01:35 PM, Jan Cholasta wrote:
>> Dne 16.3.2015 v 13:30 Martin Babinsky napsal(a):
>>> On 03/16/2015 12:15 PM, Martin Kosek wrote:
>>>> On 03/13/2015 05:37 PM, Martin Babinsky wrote:
>>>>> Attaching the next iteration of patches.
Very good! I hopefully have last two nitpicks :-) See below.
> diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
> index 4116d974e620341119b56fad3cff1bda48af3bab..cd03e9fd17b60b8b7324d0ccd436a10f7556baf0 100644
> --- a/ipapython/ipautil.py
> +++ b/ipapython/ipautil.py
> @@ -1175,27 +1175,61 @@ def wait_for_open_socket(socket_name, timeout=0):
> else:
> raise e
>
> -def kinit_hostprincipal(keytab, ccachedir, principal):
> +
> +def kinit_keytab(keytab, ccache_path, principal, attempts=1):
> """
> - Given a ccache directory and a principal kinit as that user.
> + Given a ccache_path , keytab file and a principal kinit as that user.
> +
> + The optional parameter 'attempts' specifies how many times the credential
> + initialization should be attempted before giving up and raising
> + StandardError.
>
> This blindly overwrites the current CCNAME so if you need to save
> it do so before calling this function.
>
> + This function is also not thread-safe since it modifies environment
> + variables.
> +
> Thus far this is used to kinit as the local host.
This note can be deleted because it is used elsewhere too.
> """
> - try:
> - ccache_file = 'FILE:%s/ccache' % ccachedir
> - krbcontext = krbV.default_context()
> - ktab = krbV.Keytab(name=keytab, context=krbcontext)
> - princ = krbV.Principal(name=principal, context=krbcontext)
> - os.environ['KRB5CCNAME'] = ccache_file
> - ccache = krbV.CCache(name=ccache_file, context=krbcontext, primary_principal=princ)
> - ccache.init(princ)
> - ccache.init_creds_keytab(keytab=ktab, principal=princ)
> - return ccache_file
> - except krbV.Krb5Error, e:
> - raise StandardError('Error initializing principal %s in %s: %s' % (principal, keytab, str(e)))
> + root_logger.debug("Initializing principal %s using keytab %s"
> + % (principal, keytab))
I'm sorry for nitpicking but it would be nice to log ccache_file too. Krb5
libs return quite weird errors when CC cache is not accessible so it helps to
have the path at hand.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list