IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Use fully qualified CCACHE names

Browse Source 
Some parts of install scripts used only ccache name as returned by
krbV.CCache.name attribute. However, when this name is used again
to initialize krbV.CCache object or when it is used in KRB5CCNAME
environmental variable, it fails for new DIR type of CCACHE.

We should always use both CCACHE type and name when referring to
them to avoid these crashes. ldap2 backend was also updated to
accept directly krbV.CCache object which contains everything we need
to authenticate with ccache.

https://fedorahosted.org/freeipa/ticket/3381
This commit is contained in:
Martin Kosek
2013-01-31 17:18:35 +01:00
parent 3ad8d7c1fb
commit 893064f613
5 changed files with 21 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
install/tools/ipa-adtrust-install
View File

@@ -299,7 +299,7 @@ def main():
sys.exit("Must have Kerberos credentials to setup AD trusts on server")
try:
api.Backend.ldap2.connect(ccache.name)
api.Backend.ldap2.connect(ccache)
except errors.ACIError, e:
sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket")
except errors.DatabaseError, e:

2
install/tools/ipa-dns-install
View File

@@ -205,7 +205,7 @@ def main():
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=bind.dm_password)
else:
# See if our LDAP server is up and we can talk to it over GSSAPI
ccache = krbV.default_context().default_ccache().name
ccache = krbV.default_context().default_ccache()
api.Backend.ldap2.connect(ccache)
if options.reverse_zone:

2
install/tools/ipa-replica-manage
View File

@@ -667,7 +667,7 @@ def del_master(realm, hostname, options):
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=options.dirman_passwd)
else:
ccache = krbV.default_context().default_ccache().name
ccache = krbV.default_context().default_ccache()
api.Backend.ldap2.connect(ccache=ccache)
bind = bindinstance.BindInstance()
bind.remove_master_dns_records(hostname, realm, realm.lower())

9
ipalib/plugins/kerberos.py
View File

@@ -66,14 +66,17 @@ class krb(Backend):
def default_ccname(self):
"""
Return the default ccache file name.
Return the default ccache file name (schema+name).
This will return something like '/tmp/krb5cc_500'.
This will return something like 'FILE:/tmp/krb5cc_500'.
This cannot return anything meaningful if used in the server as a
request is processed.
"""
return self.__default_ccache().name
default_ccache = self.__default_ccache()
ccname = "%(type)s:%(name)s" % dict(type=default_ccache.type,
name=default_ccache.name)
return ccname
def default_principal(self):
"""

15
ipaserver/plugins/ldap2.py
View File

@@ -788,7 +788,7 @@ class ldap2(CrudBackend):
Keyword arguments:
ldapuri -- the LDAP server to connect to
ccache -- Kerberos V5 ccache name
ccache -- Kerberos V5 ccache object or name
bind_dn -- dn used to bind to the server
bind_pw -- password used to bind to the server
debug_level -- LDAP debug level option
@@ -826,10 +826,19 @@ class ldap2(CrudBackend):
if maxssf < minssf:
conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf)
if ccache is not None:
if isinstance(ccache, krbV.CCache):
principal = ccache.principal().name
# Get a fully qualified CCACHE name (schema+name)
# As we do not use the krbV.CCache object later,
# we can safely overwrite it
ccache = "%(type)s:%(name)s" % dict(type=ccache.type,
name=ccache.name)
else:
principal = krbV.CCache(name=ccache,
context=krbV.default_context()).principal().name
os.environ['KRB5CCNAME'] = ccache
conn.sasl_interactive_bind_s(None, SASL_AUTH)
principal = krbV.CCache(name=ccache,
context=krbV.default_context()).principal().name
setattr(context, 'principal', principal)
else:
# no kerberos ccache, use simple bind or external sasl