diff options
| -rwxr-xr-x | install/tools/ipa-adtrust-install | 2 | ||||
| -rwxr-xr-x | install/tools/ipa-dns-install | 2 | ||||
| -rwxr-xr-x | install/tools/ipa-replica-manage | 2 | ||||
| -rw-r--r-- | ipalib/plugins/kerberos.py | 9 | ||||
| -rw-r--r-- | ipaserver/plugins/ldap2.py | 15 |
5 files changed, 21 insertions, 9 deletions
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 17f2f0e98..6985bba27 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -299,7 +299,7 @@ def main(): sys.exit("Must have Kerberos credentials to setup AD trusts on server") try: - api.Backend.ldap2.connect(ccache.name) + api.Backend.ldap2.connect(ccache) except errors.ACIError, e: sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket") except errors.DatabaseError, e: diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 71592d489..2ab90b648 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -205,7 +205,7 @@ def main(): api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=bind.dm_password) else: # See if our LDAP server is up and we can talk to it over GSSAPI - ccache = krbV.default_context().default_ccache().name + ccache = krbV.default_context().default_ccache() api.Backend.ldap2.connect(ccache) if options.reverse_zone: diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 242289108..0dad14319 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -667,7 +667,7 @@ def del_master(realm, hostname, options): api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=options.dirman_passwd) else: - ccache = krbV.default_context().default_ccache().name + ccache = krbV.default_context().default_ccache() api.Backend.ldap2.connect(ccache=ccache) bind = bindinstance.BindInstance() bind.remove_master_dns_records(hostname, realm, realm.lower()) diff --git a/ipalib/plugins/kerberos.py b/ipalib/plugins/kerberos.py index e6f775b97..7ae63b930 100644 --- a/ipalib/plugins/kerberos.py +++ b/ipalib/plugins/kerberos.py @@ -66,14 +66,17 @@ class krb(Backend): def default_ccname(self): """ - Return the default ccache file name. + Return the default ccache file name (schema+name). - This will return something like '/tmp/krb5cc_500'. + This will return something like 'FILE:/tmp/krb5cc_500'. This cannot return anything meaningful if used in the server as a request is processed. """ - return self.__default_ccache().name + default_ccache = self.__default_ccache() + ccname = "%(type)s:%(name)s" % dict(type=default_ccache.type, + name=default_ccache.name) + return ccname def default_principal(self): """ diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 2dd3f4784..908a101eb 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -788,7 +788,7 @@ class ldap2(CrudBackend): Keyword arguments: ldapuri -- the LDAP server to connect to - ccache -- Kerberos V5 ccache name + ccache -- Kerberos V5 ccache object or name bind_dn -- dn used to bind to the server bind_pw -- password used to bind to the server debug_level -- LDAP debug level option @@ -826,10 +826,19 @@ class ldap2(CrudBackend): if maxssf < minssf: conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf) if ccache is not None: + if isinstance(ccache, krbV.CCache): + principal = ccache.principal().name + # Get a fully qualified CCACHE name (schema+name) + # As we do not use the krbV.CCache object later, + # we can safely overwrite it + ccache = "%(type)s:%(name)s" % dict(type=ccache.type, + name=ccache.name) + else: + principal = krbV.CCache(name=ccache, + context=krbV.default_context()).principal().name + os.environ['KRB5CCNAME'] = ccache conn.sasl_interactive_bind_s(None, SASL_AUTH) - principal = krbV.CCache(name=ccache, - context=krbV.default_context()).principal().name setattr(context, 'principal', principal) else: # no kerberos ccache, use simple bind or external sasl |