diff options
author | Martin Kosek <mkosek@redhat.com> | 2013-01-31 17:18:35 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-02-01 08:13:50 +0100 |
commit | 893064f6132a9cbcfa35f6eca8964c69caad533e (patch) | |
tree | 25a270b1bfe0e079911d58fc97d369729eba0bed | |
parent | 3ad8d7c1fb1e65de8d88c494ca75a8c5c283a472 (diff) | |
download | freeipa-893064f6132a9cbcfa35f6eca8964c69caad533e.tar.gz freeipa-893064f6132a9cbcfa35f6eca8964c69caad533e.tar.xz freeipa-893064f6132a9cbcfa35f6eca8964c69caad533e.zip |
Use fully qualified CCACHE names
Some parts of install scripts used only ccache name as returned by
krbV.CCache.name attribute. However, when this name is used again
to initialize krbV.CCache object or when it is used in KRB5CCNAME
environmental variable, it fails for new DIR type of CCACHE.
We should always use both CCACHE type and name when referring to
them to avoid these crashes. ldap2 backend was also updated to
accept directly krbV.CCache object which contains everything we need
to authenticate with ccache.
https://fedorahosted.org/freeipa/ticket/3381
-rwxr-xr-x | install/tools/ipa-adtrust-install | 2 | ||||
-rwxr-xr-x | install/tools/ipa-dns-install | 2 | ||||
-rwxr-xr-x | install/tools/ipa-replica-manage | 2 | ||||
-rw-r--r-- | ipalib/plugins/kerberos.py | 9 | ||||
-rw-r--r-- | ipaserver/plugins/ldap2.py | 15 |
5 files changed, 21 insertions, 9 deletions
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 17f2f0e98..6985bba27 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -299,7 +299,7 @@ def main(): sys.exit("Must have Kerberos credentials to setup AD trusts on server") try: - api.Backend.ldap2.connect(ccache.name) + api.Backend.ldap2.connect(ccache) except errors.ACIError, e: sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket") except errors.DatabaseError, e: diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 71592d489..2ab90b648 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -205,7 +205,7 @@ def main(): api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=bind.dm_password) else: # See if our LDAP server is up and we can talk to it over GSSAPI - ccache = krbV.default_context().default_ccache().name + ccache = krbV.default_context().default_ccache() api.Backend.ldap2.connect(ccache) if options.reverse_zone: diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 242289108..0dad14319 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -667,7 +667,7 @@ def del_master(realm, hostname, options): api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=options.dirman_passwd) else: - ccache = krbV.default_context().default_ccache().name + ccache = krbV.default_context().default_ccache() api.Backend.ldap2.connect(ccache=ccache) bind = bindinstance.BindInstance() bind.remove_master_dns_records(hostname, realm, realm.lower()) diff --git a/ipalib/plugins/kerberos.py b/ipalib/plugins/kerberos.py index e6f775b97..7ae63b930 100644 --- a/ipalib/plugins/kerberos.py +++ b/ipalib/plugins/kerberos.py @@ -66,14 +66,17 @@ class krb(Backend): def default_ccname(self): """ - Return the default ccache file name. + Return the default ccache file name (schema+name). - This will return something like '/tmp/krb5cc_500'. + This will return something like 'FILE:/tmp/krb5cc_500'. This cannot return anything meaningful if used in the server as a request is processed. """ - return self.__default_ccache().name + default_ccache = self.__default_ccache() + ccname = "%(type)s:%(name)s" % dict(type=default_ccache.type, + name=default_ccache.name) + return ccname def default_principal(self): """ diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index 2dd3f4784..908a101eb 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -788,7 +788,7 @@ class ldap2(CrudBackend): Keyword arguments: ldapuri -- the LDAP server to connect to - ccache -- Kerberos V5 ccache name + ccache -- Kerberos V5 ccache object or name bind_dn -- dn used to bind to the server bind_pw -- password used to bind to the server debug_level -- LDAP debug level option @@ -826,10 +826,19 @@ class ldap2(CrudBackend): if maxssf < minssf: conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf) if ccache is not None: + if isinstance(ccache, krbV.CCache): + principal = ccache.principal().name + # Get a fully qualified CCACHE name (schema+name) + # As we do not use the krbV.CCache object later, + # we can safely overwrite it + ccache = "%(type)s:%(name)s" % dict(type=ccache.type, + name=ccache.name) + else: + principal = krbV.CCache(name=ccache, + context=krbV.default_context()).principal().name + os.environ['KRB5CCNAME'] = ccache conn.sasl_interactive_bind_s(None, SASL_AUTH) - principal = krbV.CCache(name=ccache, - context=krbV.default_context()).principal().name setattr(context, 'principal', principal) else: # no kerberos ccache, use simple bind or external sasl |