diff options
author | Michael Simacek <msimacek@redhat.com> | 2015-08-31 14:04:33 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-09-22 13:29:55 +0200 |
commit | bdccebbcdb9eb7da476762743121c1e73f95fa10 (patch) | |
tree | 38108d6426dfc4dee960b9dba055dc49a1ae38f1 | |
parent | cfeea91828ad47e1d321947d04f5f6de0e3d1c8c (diff) | |
download | freeipa-bdccebbcdb9eb7da476762743121c1e73f95fa10.tar.gz freeipa-bdccebbcdb9eb7da476762743121c1e73f95fa10.tar.xz freeipa-bdccebbcdb9eb7da476762743121c1e73f95fa10.zip |
Rewrap errors in get_principal to CCacheError
Causes nicer error message when kerberos credentials are not available.
https://fedorahosted.org/freeipa/ticket/5272
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
-rwxr-xr-x | install/tools/ipa-adtrust-install | 2 | ||||
-rw-r--r-- | ipalib/krb_utils.py | 10 | ||||
-rw-r--r-- | ipalib/rpc.py | 10 | ||||
-rw-r--r-- | ipaserver/rpcserver.py | 2 |
4 files changed, 16 insertions, 8 deletions
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 5bece0d8b..1f41cc437 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -310,7 +310,7 @@ def main(): try: principal = krb_utils.get_principal() - except gssapi.exceptions.GSSError as e: + except errors.CCacheError as e: sys.exit("Must have Kerberos credentials to setup AD trusts on server: %s" % e.message) try: diff --git a/ipalib/krb_utils.py b/ipalib/krb_utils.py index a1a96a8c2..0c4340c3f 100644 --- a/ipalib/krb_utils.py +++ b/ipalib/krb_utils.py @@ -173,9 +173,15 @@ def get_principal(ccache_name=None): default :returns: Default principal name as string + :raises: + errors.CCacheError if the principal cannot be retrieved from given + ccache ''' - creds = get_credentials(ccache_name=ccache_name) - return unicode(creds.name) + try: + creds = get_credentials(ccache_name=ccache_name) + return unicode(creds.name) + except gssapi.exceptions.GSSError as e: + raise errors.CCacheError(message=unicode(e)) def get_credentials_if_valid(name=None, ccache_name=None): ''' diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 4d3914d6b..cac1e1de1 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -67,7 +67,7 @@ import ipapython.nsslib from ipapython.nsslib import NSSHTTPS, NSSConnection from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \ - KRB5_REALM_CANT_RESOLVE, get_principal + KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal from ipapython.dn import DN from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES from ipalib import api @@ -535,8 +535,10 @@ class KerbTransport(SSLTransport): raise errors.BadCCacheFormat() elif minor == KRB5_REALM_CANT_RESOLVE: raise errors.CannotResolveKDC() + elif minor == KRB5_CC_NOTFOUND: + raise errors.CCacheError() else: - raise errors.KerberosError(major=e.maj_code, minor=minor) + raise errors.KerberosError(message=unicode(e)) def get_host_info(self, host): """ @@ -842,7 +844,7 @@ class RPCClient(Connectible): # is still valid if not delegate: rpc_uri = self.apply_session_cookie(rpc_uri) - except ValueError: + except (errors.CCacheError, ValueError): # No session key, do full Kerberos auth pass # This might be dangerous. Use at your own risk! @@ -888,7 +890,7 @@ class RPCClient(Connectible): break except KerberosError as krberr: # kerberos error on one server is likely on all - raise errors.KerberosError(major=str(krberr), minor='') + raise errors.KerberosError(message=unicode(krberr)) except ProtocolError as e: if hasattr(context, 'session_cookie') and e.errcode == 401: # Unauthorized. Remove the session and try again. diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 298f8bab1..1195d5c88 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -968,7 +968,7 @@ class login_password(Backend, KerberosSession, HTTP_Status): try: ipautil.kinit_keytab(armor_principal, paths.IPA_KEYTAB, armor_path) except gssapi.exceptions.GSSError as e: - raise CCacheError(str(e)) + raise CCacheError(message=unicode(e)) # Format the user as a kerberos principal principal = krb5_format_principal_name(user, realm) |