diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2015-05-20 14:23:30 +0000 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2015-05-21 07:42:24 +0000 |
| commit | 454e8691cf7d64696fb8602d6e1ce5241f00f328 (patch) | |
| tree | d0576deb7a1e11f9354e5e7d02ad708377998d42 /ipapython | |
| parent | 9d8ac395c00e48c95f8fdccbc05d43dd144f82ad (diff) | |
| download | freeipa-454e8691cf7d64696fb8602d6e1ce5241f00f328.tar.gz freeipa-454e8691cf7d64696fb8602d6e1ce5241f00f328.tar.xz freeipa-454e8691cf7d64696fb8602d6e1ce5241f00f328.zip | |
client-install: Fix kinits with non-default Kerberos config file
https://fedorahosted.org/freeipa/ticket/4808
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Diffstat (limited to 'ipapython')
| -rw-r--r-- | ipapython/ipautil.py | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index bdbf8da49..abdb96d9b 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -1186,7 +1186,7 @@ def wait_for_open_socket(socket_name, timeout=0): raise e -def kinit_keytab(principal, keytab, ccache_name, attempts=1): +def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): """ Given a ccache_path, keytab file and a principal kinit as that user. @@ -1199,6 +1199,11 @@ def kinit_keytab(principal, keytab, ccache_name, attempts=1): % (principal, keytab)) root_logger.debug("using ccache %s" % ccache_name) for attempt in range(1, attempts + 1): + old_config = os.environ.get('KRB5_CONFIG') + if config is not None: + os.environ['KRB5_CONFIG'] = config + else: + os.environ.pop('KRB5_CONFIG', None) try: krbcontext = krbV.default_context() ktab = krbV.Keytab(name=keytab, context=krbcontext) @@ -1221,9 +1226,15 @@ def kinit_keytab(principal, keytab, ccache_name, attempts=1): raise root_logger.debug("Waiting 5 seconds before next retry") time.sleep(5) + finally: + if old_config is not None: + os.environ['KRB5_CONFIG'] = old_config + else: + os.environ.pop('KRB5_CONFIG', None) -def kinit_password(principal, password, ccache_name, armor_ccache_name=None): +def kinit_password(principal, password, ccache_name, config=None, + armor_ccache_name=None): """ perform interactive kinit as principal using password. If using FAST for web-based authentication, use armor_ccache_path to specify http service @@ -1236,9 +1247,13 @@ def kinit_password(principal, password, ccache_name, armor_ccache_name=None): % armor_ccache_name) args.extend(['-T', armor_ccache_name]) + env = {'LC_ALL': 'C'} + if config is not None: + env['KRB5_CONFIG'] = config + # this workaround enables us to capture stderr and put it # into the raised exception in case of unsuccessful authentication - (stdout, stderr, retcode) = run(args, stdin=password, env={'LC_ALL': 'C'}, + (stdout, stderr, retcode) = run(args, stdin=password, env=env, raiseonerr=False) if retcode: raise RuntimeError(stderr) |