diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2015-03-16 16:43:10 +0100 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-04-20 08:27:35 +0000 |
commit | 3d2feac0e416c66ba37eee53ef5b3833c2c3e414 (patch) | |
tree | 77d8907c8dbba8db76db3cac3b9be09ffc970f01 | |
parent | a8e30e96716992e4160abdb7ac5995bb75e54eae (diff) | |
download | freeipa-3d2feac0e416c66ba37eee53ef5b3833c2c3e414.tar.gz freeipa-3d2feac0e416c66ba37eee53ef5b3833c2c3e414.tar.xz freeipa-3d2feac0e416c66ba37eee53ef5b3833c2c3e414.zip |
Adopted kinit_keytab and kinit_password for kerberos auth
Calls to ipautil.run using kinit were replaced with calls
kinit_keytab/kinit_password functions implemented in the PATCH 0015.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
-rwxr-xr-x | daemons/dnssec/ipa-dnskeysync-replica | 6 | ||||
-rwxr-xr-x | daemons/dnssec/ipa-dnskeysyncd | 4 | ||||
-rwxr-xr-x | daemons/dnssec/ipa-ods-exporter | 6 | ||||
-rwxr-xr-x | install/certmonger/dogtag-ipa-ca-renew-agent-submit | 4 | ||||
-rw-r--r-- | install/restart_scripts/renew_ca_cert | 8 | ||||
-rw-r--r-- | install/restart_scripts/renew_ra_cert | 7 | ||||
-rwxr-xr-x | ipa-client/ipa-install/ipa-client-automount | 8 | ||||
-rw-r--r-- | ipa-client/ipaclient/ipa_certupdate.py | 4 | ||||
-rw-r--r-- | ipaserver/rpcserver.py | 48 |
9 files changed, 54 insertions, 41 deletions
diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica index 8a0ae8a9a..bcf928215 100755 --- a/daemons/dnssec/ipa-dnskeysync-replica +++ b/daemons/dnssec/ipa-dnskeysync-replica @@ -139,14 +139,16 @@ log.setLevel(level=logging.DEBUG) # Kerberos initialization PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host)) log.debug('Kerberos principal: %s', PRINCIPAL) -ipautil.kinit_hostprincipal(paths.IPA_DNSKEYSYNCD_KEYTAB, WORKDIR, PRINCIPAL) +ccache_filename = os.path.join(WORKDIR, 'ccache') +ipautil.kinit_keytab(PRINCIPAL, paths.IPA_DNSKEYSYNCD_KEYTAB, ccache_filename) +os.environ['KRB5CCNAME'] = ccache_filename log.debug('Got TGT') # LDAP initialization ldap = ipalib.api.Backend[ldap2] # fixme log.debug('Connecting to LDAP') -ldap.connect(ccache="%s/ccache" % WORKDIR) +ldap.connect(ccache=ccache_filename) log.debug('Connected') diff --git a/daemons/dnssec/ipa-dnskeysyncd b/daemons/dnssec/ipa-dnskeysyncd index 919130343..b17c8d94e 100755 --- a/daemons/dnssec/ipa-dnskeysyncd +++ b/daemons/dnssec/ipa-dnskeysyncd @@ -65,7 +65,9 @@ log = root_logger # Kerberos initialization PRINCIPAL = str('%s/%s' % (DAEMONNAME, api.env.host)) log.debug('Kerberos principal: %s', PRINCIPAL) -ipautil.kinit_hostprincipal(KEYTAB_FB, WORKDIR, PRINCIPAL) +ccache_filename = os.path.join(WORKDIR, 'ccache') +ipautil.kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename) +os.environ['KRB5CCNAME'] = ccache_filename # LDAP initialization basedn = DN(api.env.container_dns, api.env.basedn) diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter index 401f35087..6d33b79bb 100755 --- a/daemons/dnssec/ipa-ods-exporter +++ b/daemons/dnssec/ipa-ods-exporter @@ -399,7 +399,9 @@ ipalib.api.finalize() # Kerberos initialization PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host)) log.debug('Kerberos principal: %s', PRINCIPAL) -ipautil.kinit_hostprincipal(paths.IPA_ODS_EXPORTER_KEYTAB, WORKDIR, PRINCIPAL) +ccache_name = os.path.join(WORKDIR, 'ccache') +ipautil.kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name) +os.environ['KRB5CCNAME'] = ccache_name log.debug('Got TGT') # LDAP initialization @@ -407,7 +409,7 @@ dns_dn = DN(ipalib.api.env.container_dns, ipalib.api.env.basedn) ldap = ipalib.api.Backend[ldap2] # fixme log.debug('Connecting to LDAP') -ldap.connect(ccache="%s/ccache" % WORKDIR) +ldap.connect(ccache=ccache_name) log.debug('Connected') diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 7b91fc611..66f3bf742 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -440,7 +440,9 @@ def main(): certs.renewal_lock.acquire() try: principal = str('host/%s@%s' % (api.env.host, api.env.realm)) - ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, principal) + ccache_filename = os.path.join(tmpdir, 'ccache') + os.environ['KRB5CCNAME'] = ccache_filename + ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) profile = os.environ.get('CERTMONGER_CA_PROFILE') if profile: diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert index c7bd5d74c..95205e448 100644 --- a/install/restart_scripts/renew_ca_cert +++ b/install/restart_scripts/renew_ca_cert @@ -21,6 +21,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import sys +import os import syslog import tempfile import shutil @@ -73,8 +74,9 @@ def _main(): tmpdir = tempfile.mkdtemp(prefix="tmp-") try: principal = str('host/%s@%s' % (api.env.host, api.env.realm)) - ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, - principal) + ccache_filename = os.path.join(tmpdir, 'ccache') + ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename) + os.environ['KRB5CCNAME'] = ccache_filename ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False) ca.update_cert_config(nickname, cert, configured_constants) @@ -139,7 +141,7 @@ def _main(): conn = None try: conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) - conn.connect(ccache=ccache) + conn.connect(ccache=ccache_filename) except Exception, e: syslog.syslog( syslog.LOG_ERR, "Failed to connect to LDAP: %s" % e) diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index 7dae35623..1f8fcae6f 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -21,6 +21,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import sys +import os import syslog import tempfile import shutil @@ -42,8 +43,10 @@ def _main(): tmpdir = tempfile.mkdtemp(prefix="tmp-") try: principal = str('host/%s@%s' % (api.env.host, api.env.realm)) - ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, - principal) + ccache_filename = os.path.join(tmpdir, 'ccache') + ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, + ccache_filename) + os.environ['KRB5CCNAME'] = ccache_filename ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False) if ca.is_renewal_master(): diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount index ca56f9783..eee141812 100755 --- a/ipa-client/ipa-install/ipa-client-automount +++ b/ipa-client/ipa-install/ipa-client-automount @@ -26,6 +26,7 @@ import os import urlparse import time import tempfile +from krbV import Krb5Error import SSSDConfig @@ -431,10 +432,11 @@ def main(): os.close(ccache_fd) try: try: + host_princ = str('host/%s@%s' % (api.env.host, api.env.realm)) + ipautil.kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_name) os.environ['KRB5CCNAME'] = ccache_name - ipautil.run([paths.KINIT, '-k', '-t', paths.KRB5_KEYTAB, 'host/%s@%s' % (api.env.host, api.env.realm)]) - except ipautil.CalledProcessError, e: - sys.exit("Failed to obtain host TGT.") + except Krb5Error as e: + sys.exit("Failed to obtain host TGT: %s" % e) # Now we have a TGT, connect to IPA try: api.Backend.rpcclient.connect() diff --git a/ipa-client/ipaclient/ipa_certupdate.py b/ipa-client/ipaclient/ipa_certupdate.py index 5ec5026f5..a9530674c 100644 --- a/ipa-client/ipaclient/ipa_certupdate.py +++ b/ipa-client/ipaclient/ipa_certupdate.py @@ -55,9 +55,11 @@ class CertUpdate(admintool.AdminTool): ldap = ipaldap.IPAdmin(server) tmpdir = tempfile.mkdtemp(prefix="tmp-") + ccache_name = os.path.join(tmpdir, 'ccache') try: principal = str('host/%s@%s' % (api.env.host, api.env.realm)) - ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, principal) + ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_name) + os.environ['KRB5CCNAME'] = ccache_name api.Backend.rpcclient.connect() try: diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 4173ed918..2f771a0d1 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -30,6 +30,7 @@ import datetime import urlparse import json import traceback +from krbV import Krb5Error import ldap.controls from pyasn1.type import univ, namedtype @@ -958,8 +959,8 @@ class login_password(Backend, KerberosSession, HTTP_Status): def kinit(self, user, realm, password, ccache_name): # get http service ccache as an armor for FAST to enable OTP authentication - armor_principal = krb5_format_service_principal_name( - 'HTTP', self.api.env.host, realm) + armor_principal = str(krb5_format_service_principal_name( + 'HTTP', self.api.env.host, realm)) keytab = paths.IPA_KEYTAB armor_name = "%sA_%s" % (krbccache_prefix, user) armor_path = os.path.join(krbccache_dir, armor_name) @@ -967,34 +968,29 @@ class login_password(Backend, KerberosSession, HTTP_Status): self.debug('Obtaining armor ccache: principal=%s keytab=%s ccache=%s', armor_principal, keytab, armor_path) - (stdout, stderr, returncode) = ipautil.run( - [paths.KINIT, '-kt', keytab, armor_principal], - env={'KRB5CCNAME': armor_path}, raiseonerr=False) - - if returncode != 0: - raise CCacheError() + try: + ipautil.kinit_keytab(armor_principal, paths.IPA_KEYTAB, armor_path) + except Krb5Error as e: + raise CCacheError(str(e)) # Format the user as a kerberos principal principal = krb5_format_principal_name(user, realm) - (stdout, stderr, returncode) = ipautil.run( - [paths.KINIT, principal, '-T', armor_path], - env={'KRB5CCNAME': ccache_name, 'LC_ALL': 'C'}, - stdin=password, raiseonerr=False) - - self.debug('kinit: principal=%s returncode=%s, stderr="%s"', - principal, returncode, stderr) - - self.debug('Cleanup the armor ccache') - ipautil.run( - [paths.KDESTROY, '-A', '-c', armor_path], - env={'KRB5CCNAME': armor_path}, - raiseonerr=False) - - if returncode != 0: - if stderr.strip() == 'kinit: Cannot read password while getting initial credentials': - raise PasswordExpired(principal=principal, message=unicode(stderr)) - raise InvalidSessionPassword(principal=principal, message=unicode(stderr)) + try: + ipautil.kinit_password(principal, password, ccache_name, + armor_ccache_name=armor_path) + + self.debug('Cleanup the armor ccache') + ipautil.run( + [paths.KDESTROY, '-A', '-c', armor_path], + env={'KRB5CCNAME': armor_path}, + raiseonerr=False) + except RuntimeError as e: + if ('kinit: Cannot read password while ' + 'getting initial credentials') in str(e): + raise PasswordExpired(principal=principal, message=unicode(e)) + raise InvalidSessionPassword(principal=principal, + message=unicode(e)) class change_password(Backend, HTTP_Status): |