mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-13 01:31:56 -06:00
client-install: Fix kinits with non-default Kerberos config file
https://fedorahosted.org/freeipa/ticket/4808 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
parent
9d8ac395c0
commit
454e8691cf
@ -2441,7 +2441,8 @@ def install(options, env, fstore, statestore):
|
||||
stdin = sys.stdin.readline()
|
||||
|
||||
try:
|
||||
ipautil.kinit_password(principal, stdin, ccache_name)
|
||||
ipautil.kinit_password(principal, stdin, ccache_name,
|
||||
config=krb_name)
|
||||
except RuntimeError as e:
|
||||
print_port_conf_info()
|
||||
root_logger.error("Kerberos authentication failed: %s" % e)
|
||||
@ -2452,6 +2453,7 @@ def install(options, env, fstore, statestore):
|
||||
try:
|
||||
ipautil.kinit_keytab(host_principal, options.keytab,
|
||||
ccache_name,
|
||||
config=krb_name,
|
||||
attempts=options.kinit_attempts)
|
||||
except Krb5Error as e:
|
||||
print_port_conf_info()
|
||||
@ -2530,6 +2532,7 @@ def install(options, env, fstore, statestore):
|
||||
try:
|
||||
ipautil.kinit_keytab(host_principal, paths.KRB5_KEYTAB,
|
||||
CCACHE_FILE,
|
||||
config=krb_name,
|
||||
attempts=options.kinit_attempts)
|
||||
env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = CCACHE_FILE
|
||||
except Krb5Error as e:
|
||||
|
@ -1186,7 +1186,7 @@ def wait_for_open_socket(socket_name, timeout=0):
|
||||
raise e
|
||||
|
||||
|
||||
def kinit_keytab(principal, keytab, ccache_name, attempts=1):
|
||||
def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
|
||||
"""
|
||||
Given a ccache_path, keytab file and a principal kinit as that user.
|
||||
|
||||
@ -1199,6 +1199,11 @@ def kinit_keytab(principal, keytab, ccache_name, attempts=1):
|
||||
% (principal, keytab))
|
||||
root_logger.debug("using ccache %s" % ccache_name)
|
||||
for attempt in range(1, attempts + 1):
|
||||
old_config = os.environ.get('KRB5_CONFIG')
|
||||
if config is not None:
|
||||
os.environ['KRB5_CONFIG'] = config
|
||||
else:
|
||||
os.environ.pop('KRB5_CONFIG', None)
|
||||
try:
|
||||
krbcontext = krbV.default_context()
|
||||
ktab = krbV.Keytab(name=keytab, context=krbcontext)
|
||||
@ -1221,9 +1226,15 @@ def kinit_keytab(principal, keytab, ccache_name, attempts=1):
|
||||
raise
|
||||
root_logger.debug("Waiting 5 seconds before next retry")
|
||||
time.sleep(5)
|
||||
finally:
|
||||
if old_config is not None:
|
||||
os.environ['KRB5_CONFIG'] = old_config
|
||||
else:
|
||||
os.environ.pop('KRB5_CONFIG', None)
|
||||
|
||||
|
||||
def kinit_password(principal, password, ccache_name, armor_ccache_name=None):
|
||||
def kinit_password(principal, password, ccache_name, config=None,
|
||||
armor_ccache_name=None):
|
||||
"""
|
||||
perform interactive kinit as principal using password. If using FAST for
|
||||
web-based authentication, use armor_ccache_path to specify http service
|
||||
@ -1236,9 +1247,13 @@ def kinit_password(principal, password, ccache_name, armor_ccache_name=None):
|
||||
% armor_ccache_name)
|
||||
args.extend(['-T', armor_ccache_name])
|
||||
|
||||
env = {'LC_ALL': 'C'}
|
||||
if config is not None:
|
||||
env['KRB5_CONFIG'] = config
|
||||
|
||||
# this workaround enables us to capture stderr and put it
|
||||
# into the raised exception in case of unsuccessful authentication
|
||||
(stdout, stderr, retcode) = run(args, stdin=password, env={'LC_ALL': 'C'},
|
||||
(stdout, stderr, retcode) = run(args, stdin=password, env=env,
|
||||
raiseonerr=False)
|
||||
if retcode:
|
||||
raise RuntimeError(stderr)
|
||||
|
Loading…
Reference in New Issue
Block a user