diff options
author | Simo Sorce <simo@redhat.com> | 2016-12-07 04:33:40 -0500 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2017-02-15 07:13:37 +0100 |
commit | b109f5d850ce13585d4392ca48896dc069a746e5 (patch) | |
tree | ca1e3c0d8577c1802785b6a645c3169a36e22f2f /ipaserver/dcerpc.py | |
parent | 38c66896de1769077cd5b057133606ec5eeaf62b (diff) | |
download | freeipa-b109f5d850ce13585d4392ca48896dc069a746e5.tar.gz freeipa-b109f5d850ce13585d4392ca48896dc069a746e5.tar.xz freeipa-b109f5d850ce13585d4392ca48896dc069a746e5.zip |
Drop use of kinit_as_http from trust code
The framework will not have direct access to the keytab anymore.
This function was used in two places, to fetch the domain list and to
re-initialize the PAC when enabling or disabling a domain trust.
The domian list is normally fetched via oddjob anyway so this use is
not necesary anymore, and the MS-PAC re-initialization can be moved
later to oddjob if needed.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver/dcerpc.py')
-rw-r--r-- | ipaserver/dcerpc.py | 48 |
1 files changed, 3 insertions, 45 deletions
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index aa790b75f..f00141bb5 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -633,50 +633,6 @@ class DomainValidator(object): return u'S-%d-%d-%s' % (sid_rev_num, ia, '-'.join([str(s) for s in subs]),) - def kinit_as_http(self, domain): - """ - Initializes ccache with http service credentials. - - Applies session code defaults for ccache directory and naming prefix. - Session code uses kinit_+<pid>, we use - kinit_+<TD>+<domain netbios name> so there is no clash. - - Returns tuple (ccache path, principal) where (None, None) signifes an - error on ccache initialization - """ - - domain_suffix = domain.replace('.', '-') - - ccache_name = "kinit_TD%s" % (domain_suffix) - ccache_path = os.path.join(paths.IPA_CCACHES, ccache_name) - - realm = api.env.realm - hostname = api.env.host - principal = 'HTTP/%s@%s' % (hostname, realm) - keytab = paths.IPA_KEYTAB - - # Destroy the contents of the ccache - root_logger.debug('Destroying the contents of the separate ccache') - - ipautil.run( - [paths.KDESTROY, '-A', '-c', ccache_path], - env={'KRB5CCNAME': ccache_path}, - raiseonerr=False) - - # Destroy the contents of the ccache - root_logger.debug('Running kinit from ipa.keytab to obtain HTTP ' - 'service principal with MS-PAC attached.') - - result = ipautil.run( - [paths.KINIT, '-kt', keytab, principal], - env={'KRB5CCNAME': ccache_path}, - raiseonerr=False) - - if result.returncode == 0: - return (ccache_path, principal) - else: - return (None, None) - def kinit_as_administrator(self, domain): """ Initializes ccache with http service credentials. @@ -1481,7 +1437,9 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None): ccache_name, _principal = domval.kinit_as_administrator( trustdomain) else: - ccache_name, _principal = domval.kinit_as_http(trustdomain) + raise errors.ValidationError(name=_('Credentials'), + error=_('Missing credentials for ' + 'cross-forest communication')) td.creds = credentials.Credentials() td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS) if ccache_name: |