Rewrap errors in get_principal to CCacheError

Causes nicer error message when kerberos credentials are not available. https://fedorahosted.org/freeipa/ticket/5272 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
author: Michael Simacek <msimacek@redhat.com> 2015-08-31 14:04:33 +0200
committer: Jan Cholasta <jcholast@redhat.com> 2015-09-22 13:29:55 +0200
commit: bdccebbcdb9eb7da476762743121c1e73f95fa10 (patch)
tree: 38108d6426dfc4dee960b9dba055dc49a1ae38f1
parent: cfeea91828ad47e1d321947d04f5f6de0e3d1c8c (diff)
download: freeipa-bdccebbcdb9eb7da476762743121c1e73f95fa10.tar.gz
freeipa-bdccebbcdb9eb7da476762743121c1e73f95fa10.tar.xz
freeipa-bdccebbcdb9eb7da476762743121c1e73f95fa10.zip
4 files changed, 16 insertions, 8 deletions
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 5bece0d8b..1f41cc437 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -310,7 +310,7 @@ def main():
 
     try:
         principal = krb_utils.get_principal()
-    except gssapi.exceptions.GSSError as e:
+    except errors.CCacheError as e:
         sys.exit("Must have Kerberos credentials to setup AD trusts on server: %s" % e.message)
 
     try:
diff --git a/ipalib/krb_utils.py b/ipalib/krb_utils.py
index a1a96a8c2..0c4340c3f 100644
--- a/ipalib/krb_utils.py
+++ b/ipalib/krb_utils.py
@@ -173,9 +173,15 @@ def get_principal(ccache_name=None):
         default
     :returns:
       Default principal name as string
+    :raises:
+      errors.CCacheError if the principal cannot be retrieved from given
+      ccache
     '''
-    creds = get_credentials(ccache_name=ccache_name)
-    return unicode(creds.name)
+    try:
+        creds = get_credentials(ccache_name=ccache_name)
+        return unicode(creds.name)
+    except gssapi.exceptions.GSSError as e:
+        raise errors.CCacheError(message=unicode(e))
 
 def get_credentials_if_valid(name=None, ccache_name=None):
     '''
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 4d3914d6b..cac1e1de1 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -67,7 +67,7 @@ import ipapython.nsslib
 from ipapython.nsslib import NSSHTTPS, NSSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
                              KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
-                             KRB5_REALM_CANT_RESOLVE, get_principal
+                             KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
 from ipapython.dn import DN
 from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
 from ipalib import api
@@ -535,8 +535,10 @@ class KerbTransport(SSLTransport):
             raise errors.BadCCacheFormat()
         elif minor == KRB5_REALM_CANT_RESOLVE:
             raise errors.CannotResolveKDC()
+        elif minor == KRB5_CC_NOTFOUND:
+            raise errors.CCacheError()
         else:
-            raise errors.KerberosError(major=e.maj_code, minor=minor)
+            raise errors.KerberosError(message=unicode(e))
 
     def get_host_info(self, host):
         """
@@ -842,7 +844,7 @@ class RPCClient(Connectible):
             # is still valid
             if not delegate:
                 rpc_uri = self.apply_session_cookie(rpc_uri)
-        except ValueError:
+        except (errors.CCacheError, ValueError):
             # No session key, do full Kerberos auth
             pass
         # This might be dangerous. Use at your own risk!
@@ -888,7 +890,7 @@ class RPCClient(Connectible):
                 break
             except KerberosError as krberr:
                 # kerberos error on one server is likely on all
-                raise errors.KerberosError(major=str(krberr), minor='')
+                raise errors.KerberosError(message=unicode(krberr))
             except ProtocolError as e:
                 if hasattr(context, 'session_cookie') and e.errcode == 401:
                     # Unauthorized. Remove the session and try again.
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 298f8bab1..1195d5c88 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -968,7 +968,7 @@ class login_password(Backend, KerberosSession, HTTP_Status):
         try:
             ipautil.kinit_keytab(armor_principal, paths.IPA_KEYTAB, armor_path)
         except gssapi.exceptions.GSSError as e:
-            raise CCacheError(str(e))
+            raise CCacheError(message=unicode(e))
 
         # Format the user as a kerberos principal
         principal = krb5_format_principal_name(user, realm)
author	Michael Simacek <msimacek@redhat.com>	2015-08-31 14:04:33 +0200
committer	Jan Cholasta <jcholast@redhat.com>	2015-09-22 13:29:55 +0200
commit	bdccebbcdb9eb7da476762743121c1e73f95fa10 (patch)
tree	38108d6426dfc4dee960b9dba055dc49a1ae38f1
parent	cfeea91828ad47e1d321947d04f5f6de0e3d1c8c (diff)
download	freeipa-bdccebbcdb9eb7da476762743121c1e73f95fa10.tar.gz freeipa-bdccebbcdb9eb7da476762743121c1e73f95fa10.tar.xz freeipa-bdccebbcdb9eb7da476762743121c1e73f95fa10.zip