Port from python-krbV to python-gssapi

python-krbV library is deprecated and doesn't work with python 3. Replacing all it's usages with python-gssapi. - Removed Backend.krb and KRB5_CCache classes They were wrappers around krbV classes that cannot really work without them - Added few utility functions for querying GSSAPI credentials in krb_utils module. They provide replacements for KRB5_CCache. - Merged two kinit_keytab functions - Changed ldap plugin connection defaults to match ipaldap - Unified getting default realm Using api.env.realm instead of krbV call Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-07-20 16:04:07 +02:00 · 2015-07-20 16:04:07 +02:00 · aad73fad60
commit aad73fad60
parent aebb72e1fb
37 changed files with 249 additions and 649 deletions
--- a/BUILD.txt
+++ b/BUILD.txt
@ -20,7 +20,7 @@ systemd-units samba-devel samba-python libwbclient-devel libtalloc-devel \
 libtevent-devel nspr-devel nss-devel openssl-devel openldap-devel krb5-devel \
 krb5-workstation libuuid-devel libcurl-devel xmlrpc-c-devel popt-devel \
 autoconf automake m4 libtool gettext python-devel python-ldap \
-python-setuptools python-krbV python-nss python-netaddr python-gssapi \
+python-setuptools python-nss python-netaddr python-gssapi \
 python-rhsm pyOpenSSL pylint python-polib libipa_hbac-python python-memcached \
 sssd python-lxml python-pyasn1 python-qrcode-core python-dns m2crypto \
 check libsss_idmap-devel libsss_nss_idmap-devel java-headless rhino \
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@ -12,7 +12,7 @@ from binascii import hexlify
 from datetime import datetime
 import dns.dnssec
 import fcntl
-from krbV import Krb5Error
+from gssapi.exceptions import GSSError
 import logging
 import os
 from pprint import pprint
@ -146,7 +146,7 @@ ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysync-replica.ccache')
 try:
    ipautil.kinit_keytab(PRINCIPAL, paths.IPA_DNSKEYSYNCD_KEYTAB,
                         ccache_filename, attempts=5)
-except Krb5Error as e:
+except GSSError as e:
    log.critical('Kerberos authentication failed: %s', e)
    sys.exit(1)
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@ -20,7 +20,7 @@ from datetime import datetime
 import dateutil.tz
 import dns.dnssec
 import fcntl
-from krbV import Krb5Error
+from gssapi.exceptions import GSSError
 import logging
 import os
 import subprocess
@ -487,7 +487,7 @@ ccache_name = os.path.join(WORKDIR, 'ipa-ods-exporter.ccache')
 try:
    ipautil.kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name,
                         attempts=5)
-except Krb5Error as e:
+except GSSError as e:
    log.critical('Kerberos authentication failed: %s', e)
    sys.exit(1)
--- a/doc/examples/python-api.py
+++ b/doc/examples/python-api.py
@ -37,9 +37,7 @@ api.finalize()
 # Backend.ldap.connect(), otherwise Backend.rpcclient.connect().
 if api.env.in_server:
-    api.Backend.ldap2.connect(
+    api.Backend.ldap2.connect()
        ccache=api.Backend.krb.default_ccname()
     )
 else:
    api.Backend.rpcclient.connect()
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@ -68,7 +68,6 @@ BuildRequires:  gettext
 BuildRequires:  python-devel
 BuildRequires:  python-ldap
 BuildRequires:  python-setuptools
 BuildRequires:  python-krbV
 BuildRequires:  python-nss
 BuildRequires:  python-cryptography
 BuildRequires:  python-netaddr
@ -128,7 +127,7 @@ Requires: mod_wsgi
 Requires: mod_auth_gssapi >= 1.1.0-2
 Requires: mod_nss >= 1.0.8-26
 Requires: python-ldap >= 2.4.15
-Requires: python-krbV
+Requires: python-gssapi >= 1.1.2
 Requires: python-sssdconfig
 Requires: acl
 Requires: python-pyasn1
@ -263,7 +262,7 @@ Requires: certmonger >= 0.78
 Requires: nss-tools
 Requires: bind-utils
 Requires: oddjob-mkhomedir
-Requires: python-krbV
+Requires: python-gssapi >= 1.1.2
 Requires: python-dns >= 1.11.1
 Requires: libsss_autofs
 Requires: autofs
@ -287,7 +286,6 @@ Summary: IPA administrative tools
 Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: python-krbV
 Requires: python-ldap
 Conflicts: %{alt_name}-admintools
--- a/install/oddjob/com.redhat.idm.trust-fetch-domains
+++ b/install/oddjob/com.redhat.idm.trust-fetch-domains
@ -7,33 +7,10 @@ from ipalib import api, errors
 from ipapython.dn import DN
 from ipalib.config import Env
 from ipalib.constants import DEFAULT_CONFIG
-from ipalib.krb_utils import KRB5_CCache
+from ipapython.ipautil import kinit_keytab
 import sys
 import os, pwd
-import krbV
+import gssapi
 import time
 # This version is different from the original in ipapyton.ipautil
 # in the fact that it returns a krbV.CCache object.
 def kinit_keytab(principal, keytab, ccache_name, attempts=1):
    errors_to_retry = {krbV.KRB5KDC_ERR_SVC_UNAVAILABLE,
                       krbV.KRB5_KDC_UNREACH}
    for attempt in range(1, attempts + 1):
        try:
            krbcontext = krbV.default_context()
            ktab = krbV.Keytab(name=keytab, context=krbcontext)
            princ = krbV.Principal(name=principal, context=krbcontext)
            ccache = krbV.CCache(name=ccache_name, context=krbcontext,
                                 primary_principal=princ)
            ccache.init(princ)
            ccache.init_creds_keytab(keytab=ktab, principal=princ)
            return ccache
        except krbV.Krb5Error as e:
            if e.args[0] not in errors_to_retry:
                raise
            if attempt == attempts:
                raise
            time.sleep(5)
 def retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal):
    getkeytab_args = ["/usr/sbin/ipa-getkeytab",
@ -127,17 +104,21 @@ ccache_name = '/var/run/ipa/krb5cc_oddjob_trusts'
 #   - if not, initialize it from Samba's keytab
 # - refer the correct ccache object for further use
 #
-if not os.path.isfile(ccache_name):
+have_ccache = False
-    ccache = kinit_keytab(principal, keytab_name, ccache_name)
+try:
-
+    cred = kinit_keytab(principal, keytab_name, ccache_name)
-ccache_check = KRB5_CCache(ccache_name)
+    if cred.lifetime > 0:
-if not ccache_check.credential_is_valid(principal):
+        have_ccache = True
-    ccache = kinit_keytab(principal, keytab_name, ccache_name)
+except gssapi.exceptions.ExpiredCredentialsError:
-else:
+    pass
-    ccache = ccache_check.ccache
+if not have_ccache:
    # delete stale ccache and try again
    if os.path.exists(oneway_ccache_name):
        os.unlink(ccache_name)
    cred = kinit_keytab(principal, keytab_name, ccache_name)
 old_ccache = os.environ.get('KRB5CCNAME')
-api.Backend.ldap2.connect(ccache)
+api.Backend.ldap2.connect(ccache_name)
 # Retrieve own NetBIOS name and trusted forest's name.
 # We use script's input to retrieve the trusted forest's name to sanitize input
@ -159,32 +140,25 @@ oneway_principal = str('%s$@%s' % (own_trust_flatname, trusted_domain.upper()))
 if not os.path.isfile(oneway_keytab_name):
    retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal)
 oneway_ccache = None
 try:
-    # The keytab may have stale key material (from older trust-add run)
+    have_ccache = False
-    if not os.path.isfile(oneway_ccache_name):
+    try:
-        oneway_ccache = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name)
+        # The keytab may have stale key material (from older trust-add run)
-    else:
+        cred = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name)
-        oneway_ccache_check = KRB5_CCache(oneway_ccache_name)
+        if cred.lifetime > 0:
-        if not oneway_ccache_check.credential_is_valid(oneway_principal):
+            have_ccache = True
-            # If credentials were invalid, obtain them again
+    except gssapi.exceptions.ExpiredCredentialsError:
-            oneway_ccache = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name)
+        pass
-        else:
+    if not have_ccache:
-            oneway_ccache = oneway_ccache_check.ccache
+        if os.path.exists(oneway_ccache_name):
-except krbV.Krb5Error as e:
+            os.unlink(oneway_ccache_name)
        kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name)
 except gssapi.exceptions.GSSError:
    # If there was failure on using keytab, assume it is stale and retrieve again
    retrieve_keytab(api, ccache_name, oneway_keytab_name, oneway_principal)
-
+    if os.path.exists(oneway_ccache_name):
-try:
+        os.unlink(oneway_ccache_name)
-    # There wasn existing ccache, validate its content
+    kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name)
    oneway_ccache_check = KRB5_CCache(oneway_ccache_name)
    if not oneway_ccache_check.credential_is_valid(oneway_principal):
        # If credentials were invalid, obtain them again
        oneway_ccache = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name)
    else:
        oneway_ccache = oneway_ccache_check.ccache
 except krbV.Krb5Error as e:
    oneway_ccache = kinit_keytab(oneway_principal, oneway_keytab_name, oneway_ccache_name)
 # We are done: we have ccache with TDO credentials and can fetch domains
 ipa_domain = api.env.domain
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@ -21,14 +21,14 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 import gssapi
 from ipaserver.install import adtrustinstance
 from ipaserver.install.installutils import *
 from ipaserver.install import service
 from ipapython import version
 from ipapython import ipautil, sysrestore, ipaldap
-from ipalib import api, errors, util
+from ipalib import api, errors, krb_utils
 from ipapython.config import IPAOptionParser
 import krbV
 from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import *
 from ipapython.dn import DN
@ -302,21 +302,19 @@ def main():
            print "Proceeding with credentials that existed before"
    try:
-        ctx = krbV.default_context()
+        principal = krb_utils.get_principal()
-        ccache = ctx.default_ccache()
+    except gssapi.exceptions.GSSError as e:
-        principal = ccache.principal()
+        sys.exit("Must have Kerberos credentials to setup AD trusts on server: %s" % e.message)
    except krbV.Krb5Error as e:
        sys.exit("Must have Kerberos credentials to setup AD trusts on server")
    try:
-        api.Backend.ldap2.connect(ccache)
+        api.Backend.ldap2.connect()
    except errors.ACIError as e:
        sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket")
    except errors.DatabaseError as e:
        sys.exit("Cannot connect to the LDAP database. Please check if IPA is running")
    try:
-        user = api.Command.user_show(unicode(principal[0]))['result']
+        user = api.Command.user_show(principal.partition('@')[0].partition('/')[0])['result']
        group = api.Command.group_show(u'admins')['result']
        if not (user['uid'][0] in group['member_user'] and
                group['cn'][0] in user['memberof_group']):
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@ -22,12 +22,11 @@
 import sys
 import os
 import krbV
 from ipapython.ipa_log_manager import *
 from ipaserver.install import (replication, installutils, bindinstance,
    cainstance, certs)
-from ipalib import api, errors, util
+from ipalib import api, errors
 from ipalib.constants import CACERT
 from ipapython import ipautil, ipaldap, version, dogtag
 from ipapython.dn import DN
@ -407,7 +406,7 @@ def main():
    api.finalize()
    dirman_passwd = None
-    realm = krbV.default_context().default_realm
+    realm = api.env.realm
    if options.host:
        host = options.host
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@ -20,7 +20,7 @@
 import sys
 import os
-import re, krbV
+import re
 import traceback
 from urllib2 import urlparse
 import ldap
@ -1379,7 +1379,7 @@ def main():
    api.finalize()
    dirman_passwd = None
-    realm = krbV.default_context().default_realm
+    realm = api.env.realm
    if options.host:
        host = options.host
@ -1404,8 +1404,7 @@ def main():
        api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
                                  bind_pw=options.dirman_passwd)
    else:
-        ccache = krbV.default_context().default_ccache()
+        api.Backend.ldap2.connect()
        api.Backend.ldap2.connect(ccache=ccache)
    if args[0] == "list":
        replica = None
--- a/ipa-client/ipa-client.spec.in
+++ b/ipa-client/ipa-client.spec.in
@ -9,7 +9,7 @@ URL:            http://www.freeipa.org
 Source0:        %{name}-%{version}.tgz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Requires: python python-ldap python-krbV ipa-python cyrus-sasl-gssapi
+Requires: python python-ldap python-gssapi ipa-python cyrus-sasl-gssapi
 %{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
--- a/ipa-client/ipa-install/ipa-client-automount
+++ b/ipa-client/ipa-install/ipa-client-automount
@ -26,7 +26,7 @@ import os
 import urlparse
 import time
 import tempfile
-from krbV import Krb5Error
+import gssapi
 import SSSDConfig
@ -427,15 +427,14 @@ def main():
    print "Location: %s" % options.location
    root_logger.debug('Using automount location %s' % options.location)
-    # Verify that the location is valid
+    ccache_dir = tempfile.mkdtemp()
-    (ccache_fd, ccache_name) = tempfile.mkstemp()
+    ccache_name = os.path.join(ccache_dir, 'ccache')
    os.close(ccache_fd)
    try:
        try:
            host_princ = str('host/%s@%s' % (api.env.host, api.env.realm))
            ipautil.kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_name)
            os.environ['KRB5CCNAME'] = ccache_name
-        except Krb5Error as e:
+        except gssapi.exceptions.GSSError as e:
            sys.exit("Failed to obtain host TGT: %s" % e)
        # Now we have a TGT, connect to IPA
        try:
@ -457,6 +456,7 @@ def main():
            sys.exit("Cannot connect to the server due to generic error: %s" % str(e))
    finally:
        os.remove(ccache_name)
        os.rmdir(ccache_dir)
    if not options.unattended and not ipautil.user_input("Continue to configure the system with these values?", False):
        sys.exit("Installation aborted")
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@ -31,8 +31,8 @@ try:
    from ConfigParser import RawConfigParser
    from optparse import SUPPRESS_HELP, OptionGroup, OptionValueError
    import shutil
    from krbV import Krb5Error
    import dns
    import gssapi
    import nss.nss as nss
    import SSSDConfig
@ -2618,7 +2618,7 @@ def install(options, env, fstore, statestore):
                                             ccache_name,
                                             config=krb_name,
                                             attempts=options.kinit_attempts)
-                    except Krb5Error as e:
+                    except gssapi.exceptions.GSSError as e:
                        print_port_conf_info()
                        root_logger.error("Kerberos authentication failed: %s"
                                          % e)
@ -2698,7 +2698,7 @@ def install(options, env, fstore, statestore):
                                     config=krb_name,
                                     attempts=options.kinit_attempts)
                env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = CCACHE_FILE
-            except Krb5Error as e:
+            except gssapi.exceptions.GSSError as e:
                print_port_conf_info()
                root_logger.error("Failed to obtain host TGT: %s" % e)
                # failure to get ticket makes it impossible to login and bind
@ -2745,7 +2745,7 @@ def install(options, env, fstore, statestore):
                                 CCACHE_FILE,
                                 attempts=options.kinit_attempts)
            os.environ['KRB5CCNAME'] = CCACHE_FILE
-        except Krb5Error as e:
+        except gssapi.exceptions.GSSError as e:
            root_logger.error("Failed to obtain host TGT: %s" % e)
            return CLIENT_INSTALL_ERROR
    else:
--- a/ipalib/krb_utils.py
+++ b/ipalib/krb_utils.py
@ -16,25 +16,22 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 import krbV
 import time
 import re
-from ipapython.ipa_log_manager import *
+import gssapi
 from ipalib import errors
 #-------------------------------------------------------------------------------
-# Kerberos constants, should be defined in krbV, but aren't
+# Kerberos error codes
-KRB5_GC_CACHED = 0x2
+KRB5_CC_NOTFOUND                = 2529639053 # Matching credential not found
-
+KRB5_FCC_NOFILE                 = 2529639107 # No credentials cache found
-# Kerberos error codes, should be defined in krbV, but aren't
+KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN = 2529638919 # Server not found in Kerberos database
-KRB5_CC_NOTFOUND                = -1765328243 # Matching credential not found
+KRB5KRB_AP_ERR_TKT_EXPIRED      = 2529638944 # Ticket expired
-KRB5_FCC_NOFILE                 = -1765328189 # No credentials cache found
+KRB5_FCC_PERM                   = 2529639106 # Credentials cache permissions incorrect
-KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN = -1765328377 # Server not found in Kerberos database
+KRB5_CC_FORMAT                  = 2529639111 # Bad format in credentials cache
-KRB5KRB_AP_ERR_TKT_EXPIRED      = -1765328352 # Ticket expired
+KRB5_REALM_CANT_RESOLVE         = 2529639132 # Cannot resolve network address for KDC in requested realm
 KRB5_FCC_PERM                   = -1765328190 # Credentials cache permissions incorrect
 KRB5_CC_FORMAT                  = -1765328185 # Bad format in credentials cache
 KRB5_REALM_CANT_RESOLVE         = -1765328164 # Cannot resolve network address for KDC in requested realm
 krb_ticket_expiration_threshold = 60*5 # number of seconds to accmodate clock skew
 krb5_time_fmt = '%m/%d/%y %H:%M:%S'
@ -136,260 +133,66 @@ def krb5_format_time(timestamp):
    '''
    return time.strftime(krb5_time_fmt, time.localtime(timestamp))
-class KRB5_CCache(object):
+def get_credentials(name=None, ccache_name=None):
    '''
-    Kerberos stores a TGT (Ticket Granting Ticket) and the service
+    Obtains GSSAPI credentials with given principal name from ccache. When no
-    tickets bound to it in a ccache (credentials cache). ccaches are
+    principal name specified, it retrieves the default one for given
-    bound to a Kerberos user principal. This class opens a Kerberos
+    credentials cache.
-    ccache and allows one to manipulate it. Most useful is the
+
-    extraction of ticket entries (cred's) in the ccache and the
+    :parameters:
-    ability to examine their attributes.
+      name
        gssapi.Name object specifying principal or None for the default
      ccache_name
        string specifying Kerberos credentials cache name or None for the
        default
    :returns:
      gssapi.Credentials object
    '''
    store = None
    if ccache_name:
        store = {'ccache': ccache_name}
    try:
        return gssapi.Credentials(usage='initiate', name=name, store=store)
    except gssapi.exceptions.GSSError as e:
        if e.min_code == KRB5_FCC_NOFILE:
            raise ValueError('"%s", ccache="%s"' % (e.message, ccache_name))
        raise
 def get_principal(ccache_name=None):
    '''
    Gets default principal name from given credentials cache.
    :parameters:
      ccache_name
        string specifying Kerberos credentials cache name or None for the
        default
    :returns:
      Default principal name as string
    '''
    creds = get_credentials(ccache_name=ccache_name)
    return unicode(creds.name)
 def get_credentials_if_valid(name=None, ccache_name=None):
    '''
    Obtains GSSAPI credentials with principal name from ccache. When no
    principal name specified, it retrieves the default one for given
    credentials cache. When the credentials cannot be retrieved or aren't valid
    it returns None.
    :parameters:
      name
        gssapi.Name object specifying principal or None for the default
      ccache_name
        string specifying Kerberos credentials cache name or None for the
        default
    :returns:
      gssapi.Credentials object or None if valid credentials weren't found
    '''
-    def __init__(self, ccache):
+    try:
-        '''
+        creds = get_credentials(name=name, ccache_name=ccache_name)
-        :parameters:
+        if creds.lifetime > 0:
-          ccache
+            return creds
-            The name of a Kerberos ccache used to hold Kerberos tickets.
+        return None
-        :returns:
+    except gssapi.exceptions.ExpiredCredentialsError:
-          `KRB5_CCache` object encapsulting the ccache.
+        return None
        '''
        log_mgr.get_logger(self, True)
        self.context = None
        self.scheme = None
        self.name = None
        self.ccache = None
        self.principal = None
        try:
            self.context = krbV.default_context()
            self.scheme, self.name = krb5_parse_ccache(ccache)
            self.ccache = krbV.CCache(name=str(ccache), context=self.context)
            self.principal = self.ccache.principal()
        except krbV.Krb5Error as e:
            error_code = e.args[0]
            message = e.args[1]
            if error_code == KRB5_FCC_NOFILE:
                raise ValueError('"%s", ccache="%s"' % (message, ccache))
            else:
                raise e
    def ccache_str(self):
        '''
        A Kerberos ccache is identified by a name comprised of a
        scheme and location component. This function returns that
        canonical name. See `krb5_parse_ccache()`
        :returns:
          The name of ccache with it's scheme and location components.
        '''
        return '%s:%s' % (self.scheme, self.name)
    def __str__(self):
        return 'cache="%s" principal="%s"' % (self.ccache_str(), self.principal.name)
    def get_credentials(self, principal):
        '''
        Given a Kerberos principal return the krbV credentials
        tuple describing the credential. If the principal does
        not exist in the ccache a KeyError is raised.
        :parameters:
          principal
            The Kerberos principal whose ticket is being retrieved.
            The principal may be either a string formatted as a
            Kerberos V5 principal or it may be a `krbV.Principal`
            object.
        :returns:
          A krbV credentials tuple. If the principal is not in the
          ccache a KeyError is raised.
        '''
        if isinstance(principal, krbV.Principal):
            krbV_principal = principal
        else:
            try:
                krbV_principal = krbV.Principal(str(principal), self.context)
            except Exception as e:
                self.error('could not create krbV principal from "%s", %s', principal, e)
                raise e
        creds_tuple = (self.principal,
                       krbV_principal,
                       (0, None),    # keyblock: (enctype, contents)
                       (0, 0, 0, 0), # times: (authtime, starttime, endtime, renew_till)
                       0,0,          # is_skey, ticket_flags
                       None,         # addrlist
                       None,         # ticket_data
                       None,         # second_ticket_data
                       None)         # adlist
        try:
            cred = self.ccache.get_credentials(creds_tuple, KRB5_GC_CACHED)
        except krbV.Krb5Error as e:
            error_code = e.args[0]
            if error_code == KRB5_CC_NOTFOUND:
                raise KeyError('"%s" credential not found in "%s" ccache' % \
                               (krbV_principal.name, self.ccache_str()))
            raise e
        except Exception as e:
            raise e
        return cred
    def get_credential_times(self, principal):
        '''
        Given a Kerberos principal return the ticket timestamps if the
        principal's ticket in the ccache is valid.  If the principal
        does not exist in the ccache a KeyError is raised.
        The return credential time values are Unix timestamps in
        localtime.
        The returned timestamps are:
        authtime
          The time when the ticket was issued.
        starttime
          The time when the ticket becomes valid.
        endtime
          The time when the ticket expires.
        renew_till
          The time when the ticket becomes no longer renewable (if renewable).
        :parameters:
          principal
            The Kerberos principal whose ticket is being validated.
            The principal may be either a string formatted as a
            Kerberos V5 principal or it may be a `krbV.Principal`
            object.
        :returns:
            return authtime, starttime, endtime, renew_till
        '''
        if isinstance(principal, krbV.Principal):
            krbV_principal = principal
        else:
            try:
                krbV_principal = krbV.Principal(str(principal), self.context)
            except Exception as e:
                self.error('could not create krbV principal from "%s", %s', principal, e)
                raise e
        try:
            cred = self.get_credentials(krbV_principal)
            authtime, starttime, endtime, renew_till = cred[3]
            self.debug('get_credential_times: principal=%s, authtime=%s, starttime=%s, endtime=%s, renew_till=%s',
                       krbV_principal.name,
                       krb5_format_time(authtime), krb5_format_time(starttime),
                       krb5_format_time(endtime), krb5_format_time(renew_till))
            return authtime, starttime, endtime, renew_till
        except KeyError as e:
            raise e
        except Exception as e:
            self.error('get_credential_times failed, principal="%s" error="%s"', krbV_principal.name, e)
            raise e
    def credential_is_valid(self, principal):
        '''
        Given a Kerberos principal return a boolean indicating if the
        principal's ticket in the ccache is valid. If the ticket is
        not in the ccache False is returned. If the ticket
        exists in the ccache it's validity is checked and returned.
        :parameters:
          principal
            The Kerberos principal whose ticket is being validated.
            The principal may be either a string formatted as a
            Kerberos V5 principal or it may be a `krbV.Principal`
            object.
        :returns:
          True if the principal's ticket exists and is valid. False if
          the ticket does not exist or if the ticket is not valid.
        '''
        try:
            authtime, starttime, endtime, renew_till = self.get_credential_times(principal)
        except KeyError as e:
            return False
        except Exception as e:
            self.error('credential_is_valid failed, principal="%s" error="%s"', principal, e)
            raise e
        now = time.time()
        if starttime > now:
            return False
        if endtime < now:
            return False
        return True
    def valid(self, host, realm):
        '''
        Test to see if ldap service ticket or the TGT is valid.
        :parameters:
          host
            ldap server
          realm
            kerberos realm
        :returns:
          True if either the ldap service ticket or the TGT is valid,
          False otherwise.
        '''
        try:
            principal = krb5_format_service_principal_name('HTTP', host, realm)
            valid = self.credential_is_valid(principal)
            if valid:
                return True
        except KeyError:
            pass
        try:
            principal = krb5_format_tgt_principal_name(realm)
            valid = self.credential_is_valid(principal)
            return valid
        except KeyError:
            return False
    def endtime(self, host, realm):
        '''
        Returns the minimum endtime for tickets of interest (ldap service or TGT).
        :parameters:
          host
            ldap server
          realm
            kerberos realm
        :returns:
          UNIX timestamp value.
        '''
        result = 0
        try:
            principal = krb5_format_service_principal_name('HTTP', host, realm)
            authtime, starttime, endtime, renew_till = self.get_credential_times(principal)
            if result:
                result = min(result, endtime)
            else:
                result = endtime
        except KeyError:
            pass
        try:
            principal = krb5_format_tgt_principal_name(realm)
            authtime, starttime, endtime, renew_till = self.get_credential_times(principal)
            if result:
                result = min(result, endtime)
            else:
                result = endtime
        except KeyError:
            pass
        self.debug('KRB5_CCache %s endtime=%s (%s)', self.ccache_str(), result, krb5_format_time(result))
        return result
--- a/ipalib/plugins/kerberos.py
+++ b/ipalib/plugins/kerberos.py
@ -1,125 +0,0 @@
 # Authors:
 #   Jason Gerard DeRose <jderose@redhat.com>
 #
 # Copyright (C) 2008  Red Hat
 # see file 'COPYING' for use and warranty information
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 """
 Backend plugin for Kerberos.
 This wraps the python-kerberos and python-krbV bindings.
 """
 import sys
 from ipalib import api
 from ipalib.backend import Backend
 from ipalib.plugable import Registry
 import krbV
 register = Registry()
 ENCODING = 'UTF-8'
@register()
 class krb(Backend):
    """
    Kerberos backend plugin.
    This wraps the `krbV` bindings (and will eventually wrap the `kerberos`
    bindings also).  Importantly, this plugin does correct Unicode
    encoding/decoding of values going-to/coming-from the bindings.
    """
    def __default_ccache(self):
        """
        Return the ``krbV.CCache`` for the default credential cache.
        """
        return krbV.default_context().default_ccache()
    def __default_principal(self):
        """
        Return the ``krb5.Principal`` for the default credential cache.
        """
        return self.__default_ccache().principal()
    def __get_ccache(self, ccname):
        """
        Return the ``krbV.CCache`` for the ``ccname`` credential ccache.
        """
        return krbV.CCache(ccname)
    def __get_principal(self, ccname):
        """
        Return the ``krb5.Principal`` for the ``ccname`` credential ccache.
        """
        return self.__get_ccache(ccname).principal()
    def default_ccname(self):
        """
        Return the default ccache file name (schema+name).
        This will return something like 'FILE:/tmp/krb5cc_500'.
        This cannot return anything meaningful if used in the server as a
        request is processed.
        """
        default_ccache = self.__default_ccache()
        ccname = "%(type)s:%(name)s" % dict(type=default_ccache.type,
                                            name=default_ccache.name)
        return ccname
    def default_principal(self):
        """
        Return the principal name in default credential cache.
        This will return something like 'admin@EXAMPLE.COM'.  If no credential
        cache exists for the invoking user, None is returned.
        This cannot return anything meaningful if used in the server as a
        request is processed.
        """
        return self.__default_principal().name.decode(ENCODING)
    def default_realm(self):
        """
        Return the realm from the default credential cache.
        This will return something like 'EXAMPLE.COM'.  If no credential cache
        exists for the invoking user, None is returned.
        This cannot return anything meaningful if used in the server as a
        request is processed.
        """
        return krbV.default_context().default_realm.decode(ENCODING)
    def get_principal(self, ccname):
        """
        Return the principal from credential cache file at ``ccname``.
        This will return something like 'admin@EXAMPLE.COM'.
        """
        return self.__get_principal(ccname).name.decode(ENCODING)
    def get_realm(self, ccname):
        """
        Return the realm from credential cache file at ``ccname``.
        This will return something like 'EXAMPLE.COM'.
        """
        return self.__get_principal(ccname).realm.decode(ENCODING)
--- a/ipalib/plugins/passwd.py
+++ b/ipalib/plugins/passwd.py
@ -17,7 +17,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-from ipalib import api, errors, util
+from ipalib import api, errors, krb_utils
 from ipalib import Command
 from ipalib import Str, Password
 from ipalib import _
@ -58,7 +58,7 @@ def get_current_password(principal):
    current password is prompted for, otherwise return a fixed value to
    be ignored later.
    """
-    current_principal = util.get_current_principal()
+    current_principal = krb_utils.get_principal()
    if current_principal == normalize_principal(principal):
        return None
    else:
@ -74,7 +74,7 @@ class passwd(Command):
            label=_('User name'),
            primary_key=True,
            autofill=True,
-            default_from=lambda: util.get_current_principal(),
+            default_from=lambda: krb_utils.get_principal(),
            normalizer=lambda value: normalize_principal(value),
        ),
        Password('password',
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@ -34,7 +34,6 @@ from cryptography.hazmat.primitives.serialization import load_pem_public_key,\
    load_pem_private_key
 import nss.nss as nss
 import krbV
 from ipalib.frontend import Command, Object, Local
 from ipalib import api, errors
@ -640,7 +639,7 @@ class vault_add(PKQuery, Local):
        else:
            backend = self.api.Backend.rpcclient
        if not backend.isconnected():
-            backend.connect(ccache=krbV.default_context().default_ccache())
+            backend.connect()
        if vault_type == u'standard':
@ -1239,7 +1238,7 @@ class vault_archive(PKQuery, Local):
        else:
            backend = self.api.Backend.rpcclient
        if not backend.isconnected():
-            backend.connect(ccache=krbV.default_context().default_ccache())
+            backend.connect()
        # retrieve vault info
        vault = self.api.Command.vault_show(*args, **options)['result']
@ -1508,7 +1507,7 @@ class vault_retrieve(PKQuery, Local):
        else:
            backend = self.api.Backend.rpcclient
        if not backend.isconnected():
-            backend.connect(ccache=krbV.default_context().default_ccache())
+            backend.connect()
        # retrieve vault info
        vault = self.api.Command.vault_show(*args, **options)['result']
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@ -55,7 +55,6 @@ from ipalib.errors import (public_errors, UnknownError, NetworkError,
    KerberosError, XMLRPCMarshallError, JSONError, ConversionError)
 from ipalib import errors, capabilities
 from ipalib.request import context, Connection
 from ipalib.util import get_current_principal
 from ipapython.ipa_log_manager import root_logger
 from ipapython import ipautil
 from ipapython import kernel_keyring
@ -66,7 +65,8 @@ from ipalib.text import _
 import ipapython.nsslib
 from ipapython.nsslib import NSSHTTPS, NSSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
-                             KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, KRB5_REALM_CANT_RESOLVE
+                             KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
                             KRB5_REALM_CANT_RESOLVE, get_principal
 from ipapython.dn import DN
 from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
 from ipalib import api
@ -518,10 +518,7 @@ class KerbTransport(SSLTransport):
        self._sec_context = None
    def _handle_exception(self, e, service=None):
        # kerberos library coerced error codes to signed, gssapi uses unsigned
        minor = e.min_code
        if minor & (1 << 31):
            minor -= 1 << 32
        if minor == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
            raise errors.ServiceError(service=service)
        elif minor == KRB5_FCC_NOFILE:
@ -835,7 +832,7 @@ class RPCClient(Connectible):
                          delegate=False, nss_dir=None):
        try:
            rpc_uri = self.env[self.env_rpc_uri_key]
-            principal = get_current_principal()
+            principal = get_principal()
            setattr(context, 'principal', principal)
            # We have a session cookie, try using the session URI to see if it
            # is still valid
--- a/ipalib/util.py
+++ b/ipalib/util.py
@ -61,18 +61,6 @@ def json_serialize(obj):
        return ''
    return json_serialize(obj.__json__())
 def get_current_principal():
    try:
        import gssapi
        cred = gssapi.Credentials(usage='initiate')
        return unicode(cred.name)
    except ImportError:
        raise RuntimeError('python-gssapi is not available.')
    except gssapi.exceptions.GSSError:
        #TODO: do a kinit?
        raise errors.CCacheError()
 def validate_host_dns(log, fqdn):
    """
    See if the hostname has a DNS A/AAAA record.
--- a/ipapython/config.py
+++ b/ipapython/config.py
@ -176,17 +176,6 @@ def __parse_config(discover_server = True):
 def __discover_config(discover_server = True):
    servers = []
    try:
        if not config.default_realm:
            try:
                # only import krbV when we need it
                import krbV
                krbctx = krbV.default_context()
                config.default_realm = krbctx.default_realm
            except ImportError:
                pass
            if not config.default_realm:
                return False
        if not config.default_domain:
            # try once with REALM -> domain
            domain = str(config.default_realm).lower()
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@ -34,7 +34,7 @@ import xmlrpclib
 import datetime
 import netaddr
 import time
-import krbV
+import gssapi
 import pwd
 import grp
 from dns import resolver, rdatatype
@ -54,6 +54,11 @@ GEN_PWD_LEN = 12
 IPA_BASEDN_INFO = 'ipa v2.0'
 # Having this in krb_utils would cause circular import
 KRB5_KDC_UNREACH = 2529639068 # Cannot contact any KDC for requested realm
 KRB5KDC_ERR_SVC_UNAVAILABLE = 2529638941 # A service is not available that is
                                         # required to process the request
 try:
    from subprocess import CalledProcessError
 except ImportError:
@ -1206,8 +1211,8 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
    The optional parameter 'attempts' specifies how many times the credential
    initialization should be attempted in case of non-responsive KDC.
    """
-    errors_to_retry = {krbV.KRB5KDC_ERR_SVC_UNAVAILABLE,
+    errors_to_retry = {KRB5KDC_ERR_SVC_UNAVAILABLE,
-                       krbV.KRB5_KDC_UNREACH}
+                       KRB5_KDC_UNREACH}
    root_logger.debug("Initializing principal %s using keytab %s"
                      % (principal, keytab))
    root_logger.debug("using ccache %s" % ccache_name)
@ -1218,18 +1223,15 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
        else:
            os.environ.pop('KRB5_CONFIG', None)
        try:
-            krbcontext = krbV.default_context()
+            name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
-            ktab = krbV.Keytab(name=keytab, context=krbcontext)
+            store = {'ccache': ccache_name,
-            princ = krbV.Principal(name=principal, context=krbcontext)
+                     'client_keytab': keytab}
-            ccache = krbV.CCache(name=ccache_name, context=krbcontext,
+            cred = gssapi.Credentials(name=name, store=store, usage='initiate')
                                 primary_principal=princ)
            ccache.init(princ)
            ccache.init_creds_keytab(keytab=ktab, principal=princ)
            root_logger.debug("Attempt %d/%d: success"
                              % (attempt, attempts))
-            return
+            return cred
-        except krbV.Krb5Error as e:
+        except gssapi.exceptions.GSSError as e:
-            if e.args[0] not in errors_to_retry:
+            if e.min_code not in errors_to_retry:
                raise
            root_logger.debug("Attempt %d/%d: failed: %s"
                              % (attempt, attempts, e))
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@ -23,7 +23,7 @@ from optparse import OptionGroup
 import base64
 from nss import nss
 from nss.error import NSPRError
-import krbV
+import gssapi
 from ipapython import admintool, certmonger, ipautil
 from ipapython.dn import DN
@ -126,9 +126,8 @@ class CACertManage(admintool.AdminTool):
        password = self.options.password
        if not password:
            try:
-                ccache = krbV.default_context().default_ccache()
+                conn.connect()
-                conn.connect(ccache=ccache)
+            except (gssapi.exceptions.GSSError, errors.ACIError):
            except (krbV.Krb5Error, errors.ACIError):
                pass
            else:
                return conn
--- a/ipaserver/install/ipa_ldap_updater.py
+++ b/ipaserver/install/ipa_ldap_updater.py
@ -26,8 +26,6 @@
 import os
 import sys
 import krbV
 from ipalib import api
 from ipapython import ipautil, admintool
 from ipaplatform.paths import paths
@ -100,7 +98,7 @@ class LDAPUpdater_Upgrade(LDAPUpdater):
        super(LDAPUpdater_Upgrade, self).run()
        options = self.options
-        realm = krbV.default_context().default_realm
+        realm = api.env.realm
        upgrade = IPAUpgrade(realm, self.files,
                             schema_files=options.schema_files)
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@ -30,7 +30,7 @@ from lxml import etree
 import dateutil.parser
 import dateutil.tz
 import nss.nss as nss
-import krbV
+import gssapi
 from ipapython import admintool
 from ipalib import api, errors
@ -509,9 +509,8 @@ class OTPTokenImport(admintool.AdminTool):
        conn = ldap2(api)
        try:
-            ccache = krbV.default_context().default_ccache()
+            conn.connect()
-            conn.connect(ccache=ccache)
+        except (gssapi.exceptions.GSSError, errors.ACIError):
        except (krbV.Krb5Error, errors.ACIError):
            raise admintool.ScriptError("Unable to connect to LDAP! Did you kinit?")
        try:
--- a/ipaserver/install/ipa_winsync_migrate.py
+++ b/ipaserver/install/ipa_winsync_migrate.py
@ -17,7 +17,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
-import krbV
+import gssapi
 import sys
 from ipalib import api
@ -321,12 +321,10 @@ class WinsyncMigrate(admintool.AdminTool):
        # Setup LDAP connection
        try:
-            ctx = krbV.default_context()
+            api.Backend.ldap2.connect()
            ccache = ctx.default_ccache()
            api.Backend.ldap2.connect(ccache)
            cls.ldap = api.Backend.ldap2
-        except krbV.Krb5Error as e:
+        except gssapi.exceptions.GSSError as e:
-            sys.exit("Must have Kerberos credentials to migrate Winsync users.")
+            sys.exit("Must have Kerberos credentials to migrate Winsync users. Error: %s" % e)
        except errors.ACIError as e:
            sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket.")
        except errors.DatabaseError as e:
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@ -32,7 +32,6 @@ import pwd
 import fnmatch
 import re
 import krbV
 import ldap
 from ipaserver.install import installutils
@ -272,13 +271,8 @@ class LDAPUpdate:
        if sub_dict.get("REALM"):
            self.realm = sub_dict["REALM"]
        else:
-            krbctx = krbV.default_context()
+            self.realm = api.env.realm
-            try:
+            suffix = ipautil.realm_to_suffix(self.realm) if self.realm else None
                self.realm = krbctx.default_realm
                suffix = ipautil.realm_to_suffix(self.realm)
            except krbV.Krb5Error:
                self.realm = None
                suffix = None
        if suffix is not None:
            assert isinstance(suffix, DN)
--- a/ipaserver/install/schemaupdate.py
+++ b/ipaserver/install/schemaupdate.py
@ -20,9 +20,9 @@
 import pprint
 import ldap.schema
 import krbV
 import ipapython.version
 from ipalib import api
 from ipapython.ipa_log_manager import log_mgr
 from ipapython.dn import DN
 from ipaserver.install.ldapupdate import connect
@ -106,7 +106,7 @@ def update_schema(schema_files, ldapi=False, dm_password=None,):
    SCHEMA_ELEMENT_CLASSES_KEYS = [x[0] for x in SCHEMA_ELEMENT_CLASSES]
    conn = connect(ldapi=ldapi, dm_password=dm_password,
-                   realm=krbV.default_context().default_realm,
+                   realm=api.env.realm,
                   fqdn=installutils.get_fqdn())
    old_schema = conn.schema
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@ -9,7 +9,6 @@ import pwd
 import fileinput
 import ConfigParser
 import sys
 import krbV
 from ipalib import api
 import SSSDConfig
@ -1567,7 +1566,7 @@ def upgrade_check(options):
 def upgrade():
-    realm = krbV.default_context().default_realm
+    realm = api.env.realm
    schema_files = [os.path.join(ipautil.SHARE_DIR, f) for f
                    in dsinstance.ALL_SCHEMA_FILES]
    data_upgrade = IPAUpgrade(realm, schema_files=schema_files)
--- a/ipaserver/plugins/join.py
+++ b/ipaserver/plugins/join.py
@ -21,8 +21,6 @@
 Joining an IPA domain
 """
 import krbV
 from ipalib import api
 from ipalib import Command, Str
 from ipalib import errors
@ -30,15 +28,6 @@ from ipalib import _
 from ipaserver.install import installutils
 def get_realm():
    """
    Returns the default kerberos realm configured for this server.
    """
    krbctx = krbV.default_context()
    return unicode(krbctx.default_realm)
 def validate_host(ugettext, cn):
    """
    Require at least one dot in the hostname (to support localhost.localdomain)
@ -66,7 +55,7 @@ class join(Command):
    takes_options = (
        Str('realm',
            doc=_("The IPA realm"),
-            default_from=lambda: get_realm(),
+            default_from=lambda: api.env.realm,
            autofill=True,
        ),
        Str('nshardwareplatform?',
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@ -30,11 +30,12 @@ Backend plugin for LDAP.
 import os
 import pwd
 import krbV
 import ldap as _ldap
 from ipalib import krb_utils
 from ipapython.dn import DN
-from ipapython.ipaldap import SASL_GSSAPI, LDAPClient
+from ipapython.ipaldap import (LDAPClient, AUTOBIND_AUTO, AUTOBIND_ENABLED,
                               AUTOBIND_DISABLED)
 try:
@ -88,13 +89,14 @@ class ldap2(CrudBackend, LDAPClient):
    def create_connection(self, ccache=None, bind_dn=None, bind_pw='',
            tls_cacertfile=None, tls_certfile=None, tls_keyfile=None,
-            debug_level=0, autobind=False, serverctrls=None, clientctrls=None):
+            debug_level=0, autobind=AUTOBIND_AUTO, serverctrls=None,
            clientctrls=None):
        """
        Connect to LDAP server.
        Keyword arguments:
        ldapuri -- the LDAP server to connect to
-        ccache -- Kerberos V5 ccache object or name
+        ccache -- Kerberos ccache name
        bind_dn -- dn used to bind to the server
        bind_pw -- password used to bind to the server
        debug_level -- LDAP debug level option
@ -122,8 +124,6 @@ class ldap2(CrudBackend, LDAPClient):
        conn = self._conn
        with self.error_handler():
            if self.ldap_uri.startswith('ldapi://') and ccache:
                conn.set_option(_ldap.OPT_HOST_NAME, self.api.env.host)
            minssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MIN)
            maxssf = conn.get_option(_ldap.OPT_X_SASL_SSF_MAX)
            # Always connect with at least an SSF of 56, confidentiality
@ -134,33 +134,37 @@ class ldap2(CrudBackend, LDAPClient):
                if maxssf < minssf:
                    conn.set_option(_ldap.OPT_X_SASL_SSF_MAX, minssf)
-        if ccache is not None:
+        ldapi = self.ldap_uri.startswith('ldapi://')
-            if isinstance(ccache, krbV.CCache):
+
-                principal = ccache.principal().name
+        if bind_pw:
-                # Get a fully qualified CCACHE name (schema+name)
+            self.simple_bind(bind_dn, bind_pw,
-                # As we do not use the krbV.CCache object later,
+                             server_controls=serverctrls,
-                # we can safely overwrite it
+                             client_controls=clientctrls)
-                ccache = "%(type)s:%(name)s" % dict(type=ccache.type,
+        elif autobind != AUTOBIND_DISABLED and os.getegid() == 0 and ldapi:
-                                                    name=ccache.name)
+            try:
-            else:
+                pw_name = pwd.getpwuid(os.geteuid()).pw_name
-                principal = krbV.CCache(name=ccache,
+                self.external_bind(pw_name,
-                    context=krbV.default_context()).principal().name
+                                   server_controls=serverctrls,
                                   client_controls=clientctrls)
            except errors.NotFound:
                if autobind == AUTOBIND_ENABLED:
                    # autobind was required and failed, raise
                    # exception that it failed
                    raise
        else:
            if ldapi:
                with self.error_handler():
                    conn.set_option(_ldap.OPT_HOST_NAME, self.api.env.host)
            if ccache is None:
                os.environ.pop('KRB5CCNAME', None)
            else:
                os.environ['KRB5CCNAME'] = ccache
            principal = krb_utils.get_principal(ccache_name=ccache)
            os.environ['KRB5CCNAME'] = ccache
            self.gssapi_bind(server_controls=serverctrls,
                             client_controls=clientctrls)
            setattr(context, 'principal', principal)
        else:
            # no kerberos ccache, use simple bind or external sasl
            if autobind:
                pent = pwd.getpwuid(os.geteuid())
                self.external_bind(pent.pw_name,
                                   server_controls=serverctrls,
                                   client_controls=clientctrls)
            else:
                self.simple_bind(bind_dn, bind_pw,
                                 server_controls=serverctrls,
                                 client_controls=clientctrls)
        return conn
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@ -30,7 +30,8 @@ import datetime
 import urlparse
 import json
 import traceback
-from krbV import Krb5Error
+import gssapi
 import time
 import ldap.controls
 from pyasn1.type import univ, namedtype
@ -54,8 +55,8 @@ from ipalib.session import (
    default_max_session_duration, krbccache_dir, krbccache_prefix)
 from ipalib.backend import Backend
 from ipalib.krb_utils import (
-    KRB5_CCache, krb_ticket_expiration_threshold, krb5_format_principal_name,
+    krb_ticket_expiration_threshold, krb5_format_principal_name,
-    krb5_format_service_principal_name)
+    krb5_format_service_principal_name, get_credentials, get_credentials_if_valid)
 from ipapython import ipautil
 from ipaplatform.paths import paths
 from ipapython.version import VERSION
@ -593,8 +594,8 @@ class KerberosSession(object):
        session_data['ccache_data'] = load_ccache_data(ccache_name)
        # Set when the session will expire
-        cc = KRB5_CCache(ccache_name)
+        creds = get_credentials(ccache_name=ccache_name)
-        endtime = cc.endtime(self.api.env.host, self.api.env.realm)
+        endtime = creds.lifetime + time.time()
        self.update_session_expiration(session_data, endtime)
        # Store the session data now that it's been updated with the ccache
@ -789,15 +790,15 @@ class jsonserver_session(jsonserver, KerberosSession):
        ipa_ccache_name = bind_ipa_ccache(ccache_data)
        # Redirect to login if Kerberos credentials are expired
-        cc = KRB5_CCache(ipa_ccache_name)
+        creds = get_credentials_if_valid(ccache_name=ipa_ccache_name)
-        if not cc.valid(self.api.env.host, self.api.env.realm):
+        if not creds:
            self.debug('ccache expired, deleting session, need login')
            # The request is finished with the ccache, destroy it.
            release_ipa_ccache(ipa_ccache_name)
            return self.need_login(start_response)
        # Update the session expiration based on the Kerberos expiration
-        endtime = cc.endtime(self.api.env.host, self.api.env.realm)
+        endtime = creds.lifetime + time.time()
        self.update_session_expiration(session_data, endtime)
        # Store the session data in the per-thread context
@ -962,7 +963,7 @@ class login_password(Backend, KerberosSession, HTTP_Status):
        try:
            ipautil.kinit_keytab(armor_principal, paths.IPA_KEYTAB, armor_path)
-        except Krb5Error as e:
+        except gssapi.exceptions.GSSError as e:
            raise CCacheError(str(e))
        # Format the user as a kerberos principal
@ -1229,15 +1230,15 @@ class xmlserver_session(xmlserver, KerberosSession):
        ipa_ccache_name = bind_ipa_ccache(ccache_data)
        # Redirect to /ipa/xml if Kerberos credentials are expired
-        cc = KRB5_CCache(ipa_ccache_name)
+        creds = get_credentials_if_valid(ccache_name=ipa_ccache_name)
-        if not cc.valid(self.api.env.host, self.api.env.realm):
+        if not creds:
            self.debug('xmlserver_session.__call_: ccache expired, deleting session, need login')
            # The request is finished with the ccache, destroy it.
            release_ipa_ccache(ipa_ccache_name)
            return self.need_login(start_response)
        # Update the session expiration based on the Kerberos expiration
-        endtime = cc.endtime(self.api.env.host, self.api.env.realm)
+        endtime = creds.lifetime + time.time()
        self.update_session_expiration(session_data, endtime)
        # Store the session data in the per-thread context
--- a/ipatests/test_cmdline/cmdline.py
+++ b/ipatests/test_cmdline/cmdline.py
@ -22,7 +22,6 @@ Base class for all cmdline tests
 """
 import nose
 import krbV
 import distutils.spawn
 import os
@ -33,11 +32,9 @@ from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
 from ipaserver.plugins.ldap2 import ldap2
 # See if our LDAP server is up and we can talk to it over GSSAPI
 ccache = krbV.default_context().default_ccache()
 try:
    conn = ldap2(api)
-    conn.connect(ccache=ccache)
+    conn.connect()
    conn.disconnect()
    server_available = True
 except errors.DatabaseError:
--- a/ipatests/test_cmdline/test_ipagetkeytab.py
+++ b/ipatests/test_cmdline/test_ipagetkeytab.py
@ -26,10 +26,10 @@ from cmdline import cmdline_test
 from ipalib import api
 from ipalib import errors
 import tempfile
-from ipapython import ipautil
+from ipapython import ipautil, ipaldap
 import nose
 import tempfile
-import krbV
+import gssapi
 from ipaserver.plugins.ldap2 import ldap2
 from ipapython.dn import DN
@ -37,21 +37,18 @@ def use_keytab(principal, keytab):
    try:
        tmpdir = tempfile.mkdtemp(prefix = "tmp-")
        ccache_file = 'FILE:%s/ccache' % tmpdir
-        krbcontext = krbV.default_context()
+        name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
-        principal = str(principal)
+        store = {'ccache': ccache_file,
-        keytab = krbV.Keytab(name=keytab, context=krbcontext)
+                 'client_keytab': keytab}
        principal = krbV.Principal(name=principal, context=krbcontext)
        os.environ['KRB5CCNAME'] = ccache_file
-        ccache = krbV.CCache(name=ccache_file, context=krbcontext, primary_principal=principal)
+        gssapi.Credentials(name=name, usage='initiate', store=store)
        ccache.init(principal)
        ccache.init_creds_keytab(keytab=keytab, principal=principal)
        conn = ldap2(api)
-        conn.connect(ccache=ccache)
+        conn.connect(autobind=ipaldap.AUTOBIND_DISABLED)
        conn.disconnect()
-    except krbV.Krb5Error as e:
+    except gssapi.exceptions.GSSError as e:
-        raise StandardError('Unable to bind to LDAP. Error initializing principal %s in %s: %s' % (principal.name, keytab, str(e)))
+        raise StandardError('Unable to bind to LDAP. Error initializing principal %s in %s: %s' % (principal, keytab, str(e)))
    finally:
-        del os.environ['KRB5CCNAME']
+        os.environ.pop('KRB5CCNAME', None)
        if tmpdir:
            shutil.rmtree(tmpdir)
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@ -34,7 +34,6 @@ try:
 except ImportError:
    have_ldap2 = False
 else:
    import krbV
    have_ldap2 = True
 _dns_zone_record = DNSName(u'@')
@ -402,7 +401,7 @@ def _get_nameservers_ldap(conn):
 def get_nameservers():
        ldap = ldap2(api)
-        ldap.connect(ccache=krbV.default_context().default_ccache())
+        ldap.connect()
        nameservers = [normalize_zone(x) for x in _get_nameservers_ldap(ldap)]
        return nameservers
--- a/ipatests/test_xmlrpc/test_netgroup_plugin.py
+++ b/ipatests/test_xmlrpc/test_netgroup_plugin.py
@ -22,7 +22,6 @@ Test the `ipalib/plugins/netgroup.py` module.
 """
 import nose
 import krbV
 from ipalib import api
 from ipalib import errors
@ -36,9 +35,6 @@ from ipatests.test_xmlrpc.test_user_plugin import get_user_result
 # Global so we can save the value between tests
 netgroup_dn = None
 # See if our LDAP server is up and we can talk to it over GSSAPI
 ccache = krbV.default_context().default_ccache().name
 netgroup1 = u'netgroup1'
 netgroup2 = u'netgroup2'
 netgroup_single = u'a'
@ -1298,7 +1294,7 @@ class test_netgroup(Declarative):
 #        # Do an LDAP query to the compat area and verify that the entry
 #        # is correct
 #        conn = ldap2(api)
-#        conn.connect(ccache=ccache)
+#        conn.connect()
 #        try:
 #            entries = conn.find_entries('cn=%s' % self.ng_cn,
 #                      base_dn='cn=ng,cn=compat,%s' % api.env.basedn)
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@ -37,7 +37,6 @@ try:
 except ImportError:
    have_ldap2 = False
 else:
    import krbV
    have_ldap2 = True
 permission1 = u'testperm'
@ -3175,7 +3174,7 @@ class test_managed_permissions(Declarative):
    def add_managed_permission(self):
        """Add a managed permission and the corresponding ACI"""
        ldap = ldap2(api)
-        ldap.connect(ccache=krbV.default_context().default_ccache())
+        ldap.connect()
        result = api.Command.permission_add(permission1, type=u'user',
                                            ipapermright=u'write',
--- a/lite-server.py
+++ b/lite-server.py
@ -37,13 +37,27 @@ from paste import httpserver
 import paste.gzipper
 from paste.urlmap import URLMap
 from ipalib import api
 from subprocess import check_output, CalledProcessError
 import re
 # Ugly hack for test purposes only. GSSAPI has no way to get default ccache
 # name, but we don't need it outside test server
 def get_default_ccache_name():
    try:
        out = check_output(['klist'])
    except CalledProcessError:
        raise RuntimeError("Default ccache not found. Did you kinit?")
    match = re.match(r'^Ticket cache:\s*(\S+)', out)
    if not match:
        raise RuntimeError("Cannot obtain ccache name")
    return match.group(1)
 class KRBCheater(object):
    def __init__(self, app):
        self.app = app
        self.url = app.url
-        self.ccname = api.Backend.krb.default_ccname()
+        self.ccname = get_default_ccache_name()
    def __call__(self, environ, start_response):
        environ['KRB5CCNAME'] = self.ccname
--- a/4
+++ b/4
@ -50,7 +50,6 @@ class IPATypeChecker(TypeChecker):
    # 'class or module': ['generated', 'properties']
    ignore = {
        # Python standard library & 3rd party classes
        'krbV.Principal': ['name'],
        'socket._socketobject': ['sendall'],
        # should be 'subprocess.Popen'
        '.Popen': ['stdin', 'stdout', 'stderr', 'pid', 'returncode', 'poll',
@ -68,7 +67,6 @@ class IPATypeChecker(TypeChecker):
        'ipalib.base.NameSpace': ['add', 'mod', 'del', 'show', 'find'],
        'ipalib.cli.Collector': ['__options'],
        'ipalib.config.Env': ['*'],
        'ipalib.krb_utils.KRB5_CCache': LOGGING_ATTRS,
        'ipalib.parameters.Param': ['cli_name', 'cli_short_name', 'label',
            'default', 'doc', 'required', 'multivalue', 'primary_key',
            'normalizer', 'default_from', 'autofill', 'query', 'attribute',
@ -261,7 +259,7 @@ Errors were found during the static code check.
            for mod in sorted(linter.missing):
                print >> sys.stderr, "    " + mod
            print >> sys.stderr, """
-Please make sure all of the required and optional (python-krbV, python-rhsm)
+Please make sure all of the required and optional (python-gssapi, python-rhsm)
 python packages are installed.
 """