diff options
author | Michael Simacek <msimacek@redhat.com> | 2015-07-20 16:04:07 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-08-26 09:41:36 +0200 |
commit | aad73fad601f576dd83b758f4448839b4e8e87df (patch) | |
tree | c99433fc5aade363e7f9f66a7c08fcfd8e3dfc69 /ipapython/ipautil.py | |
parent | aebb72e1fb144939285380a6a9261c4d4177195e (diff) | |
download | freeipa-aad73fad601f576dd83b758f4448839b4e8e87df.tar.gz freeipa-aad73fad601f576dd83b758f4448839b4e8e87df.tar.xz freeipa-aad73fad601f576dd83b758f4448839b4e8e87df.zip |
Port from python-krbV to python-gssapi
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.
- Removed Backend.krb and KRB5_CCache classes
They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
Using api.env.realm instead of krbV call
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'ipapython/ipautil.py')
-rw-r--r-- | ipapython/ipautil.py | 28 |
1 files changed, 15 insertions, 13 deletions
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index c3ffb1d5c..d959bb369 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -34,7 +34,7 @@ import xmlrpclib import datetime import netaddr import time -import krbV +import gssapi import pwd import grp from dns import resolver, rdatatype @@ -54,6 +54,11 @@ GEN_PWD_LEN = 12 IPA_BASEDN_INFO = 'ipa v2.0' +# Having this in krb_utils would cause circular import +KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested realm +KRB5KDC_ERR_SVC_UNAVAILABLE = 2529638941 # A service is not available that is + # required to process the request + try: from subprocess import CalledProcessError except ImportError: @@ -1206,8 +1211,8 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): The optional parameter 'attempts' specifies how many times the credential initialization should be attempted in case of non-responsive KDC. """ - errors_to_retry = {krbV.KRB5KDC_ERR_SVC_UNAVAILABLE, - krbV.KRB5_KDC_UNREACH} + errors_to_retry = {KRB5KDC_ERR_SVC_UNAVAILABLE, + KRB5_KDC_UNREACH} root_logger.debug("Initializing principal %s using keytab %s" % (principal, keytab)) root_logger.debug("using ccache %s" % ccache_name) @@ -1218,18 +1223,15 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): else: os.environ.pop('KRB5_CONFIG', None) try: - krbcontext = krbV.default_context() - ktab = krbV.Keytab(name=keytab, context=krbcontext) - princ = krbV.Principal(name=principal, context=krbcontext) - ccache = krbV.CCache(name=ccache_name, context=krbcontext, - primary_principal=princ) - ccache.init(princ) - ccache.init_creds_keytab(keytab=ktab, principal=princ) + name = gssapi.Name(principal, gssapi.NameType.kerberos_principal) + store = {'ccache': ccache_name, + 'client_keytab': keytab} + cred = gssapi.Credentials(name=name, store=store, usage='initiate') root_logger.debug("Attempt %d/%d: success" % (attempt, attempts)) - return - except krbV.Krb5Error as e: - if e.args[0] not in errors_to_retry: + return cred + except gssapi.exceptions.GSSError as e: + if e.min_code not in errors_to_retry: raise root_logger.debug("Attempt %d/%d: failed: %s" % (attempt, attempts, e)) |