From 454e8691cf7d64696fb8602d6e1ce5241f00f328 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 20 May 2015 14:23:30 +0000 Subject: [PATCH] client-install: Fix kinits with non-default Kerberos config file https://fedorahosted.org/freeipa/ticket/4808 Reviewed-By: Martin Babinsky --- ipa-client/ipa-install/ipa-client-install | 5 ++++- ipapython/ipautil.py | 21 ++++++++++++++++++--- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index efa97a9ae..63e3c9800 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -2441,7 +2441,8 @@ def install(options, env, fstore, statestore): stdin = sys.stdin.readline() try: - ipautil.kinit_password(principal, stdin, ccache_name) + ipautil.kinit_password(principal, stdin, ccache_name, + config=krb_name) except RuntimeError as e: print_port_conf_info() root_logger.error("Kerberos authentication failed: %s" % e) @@ -2452,6 +2453,7 @@ def install(options, env, fstore, statestore): try: ipautil.kinit_keytab(host_principal, options.keytab, ccache_name, + config=krb_name, attempts=options.kinit_attempts) except Krb5Error as e: print_port_conf_info() @@ -2530,6 +2532,7 @@ def install(options, env, fstore, statestore): try: ipautil.kinit_keytab(host_principal, paths.KRB5_KEYTAB, CCACHE_FILE, + config=krb_name, attempts=options.kinit_attempts) env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = CCACHE_FILE except Krb5Error as e: diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index bdbf8da49..abdb96d9b 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -1186,7 +1186,7 @@ def wait_for_open_socket(socket_name, timeout=0): raise e -def kinit_keytab(principal, keytab, ccache_name, attempts=1): +def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): """ Given a ccache_path, keytab file and a principal kinit as that user. @@ -1199,6 +1199,11 @@ def kinit_keytab(principal, keytab, ccache_name, attempts=1): % (principal, keytab)) root_logger.debug("using ccache %s" % ccache_name) for attempt in range(1, attempts + 1): + old_config = os.environ.get('KRB5_CONFIG') + if config is not None: + os.environ['KRB5_CONFIG'] = config + else: + os.environ.pop('KRB5_CONFIG', None) try: krbcontext = krbV.default_context() ktab = krbV.Keytab(name=keytab, context=krbcontext) @@ -1221,9 +1226,15 @@ def kinit_keytab(principal, keytab, ccache_name, attempts=1): raise root_logger.debug("Waiting 5 seconds before next retry") time.sleep(5) + finally: + if old_config is not None: + os.environ['KRB5_CONFIG'] = old_config + else: + os.environ.pop('KRB5_CONFIG', None) -def kinit_password(principal, password, ccache_name, armor_ccache_name=None): +def kinit_password(principal, password, ccache_name, config=None, + armor_ccache_name=None): """ perform interactive kinit as principal using password. If using FAST for web-based authentication, use armor_ccache_path to specify http service @@ -1236,9 +1247,13 @@ def kinit_password(principal, password, ccache_name, armor_ccache_name=None): % armor_ccache_name) args.extend(['-T', armor_ccache_name]) + env = {'LC_ALL': 'C'} + if config is not None: + env['KRB5_CONFIG'] = config + # this workaround enables us to capture stderr and put it # into the raised exception in case of unsuccessful authentication - (stdout, stderr, retcode) = run(args, stdin=password, env={'LC_ALL': 'C'}, + (stdout, stderr, retcode) = run(args, stdin=password, env=env, raiseonerr=False) if retcode: raise RuntimeError(stderr)