Rewrap errors in get_principal to CCacheError

Causes nicer error message when kerberos credentials are not available. https://fedorahosted.org/freeipa/ticket/5272 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-08-31 14:04:33 +02:00 · 2015-08-31 14:04:33 +02:00 · bdccebbcdb
commit bdccebbcdb
parent cfeea91828
4 changed files with 16 additions and 8 deletions
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@ -310,7 +310,7 @@ def main():

    try:
        principal = krb_utils.get_principal()
-    except gssapi.exceptions.GSSError as e:
+    except errors.CCacheError as e:
        sys.exit("Must have Kerberos credentials to setup AD trusts on server: %s" % e.message)

    try:
--- a/ipalib/krb_utils.py
+++ b/ipalib/krb_utils.py
@ -173,9 +173,15 @@ def get_principal(ccache_name=None):
        default
    :returns:
      Default principal name as string
+    :raises:
+      errors.CCacheError if the principal cannot be retrieved from given
+      ccache
    '''
-    creds = get_credentials(ccache_name=ccache_name)
-    return unicode(creds.name)
+    try:
+        creds = get_credentials(ccache_name=ccache_name)
+        return unicode(creds.name)
+    except gssapi.exceptions.GSSError as e:
+        raise errors.CCacheError(message=unicode(e))

 def get_credentials_if_valid(name=None, ccache_name=None):
    '''
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@ -67,7 +67,7 @@ import ipapython.nsslib
 from ipapython.nsslib import NSSHTTPS, NSSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
                             KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
-                             KRB5_REALM_CANT_RESOLVE, get_principal
+                             KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
 from ipapython.dn import DN
 from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
 from ipalib import api
@ -535,8 +535,10 @@ class KerbTransport(SSLTransport):
            raise errors.BadCCacheFormat()
        elif minor == KRB5_REALM_CANT_RESOLVE:
            raise errors.CannotResolveKDC()
+        elif minor == KRB5_CC_NOTFOUND:
+            raise errors.CCacheError()
        else:
-            raise errors.KerberosError(major=e.maj_code, minor=minor)
+            raise errors.KerberosError(message=unicode(e))

    def get_host_info(self, host):
        """
@ -842,7 +844,7 @@ class RPCClient(Connectible):
            # is still valid
            if not delegate:
                rpc_uri = self.apply_session_cookie(rpc_uri)
-        except ValueError:
+        except (errors.CCacheError, ValueError):
            # No session key, do full Kerberos auth
            pass
        # This might be dangerous. Use at your own risk!
@ -888,7 +890,7 @@ class RPCClient(Connectible):
                break
            except KerberosError as krberr:
                # kerberos error on one server is likely on all
-                raise errors.KerberosError(major=str(krberr), minor='')
+                raise errors.KerberosError(message=unicode(krberr))
            except ProtocolError as e:
                if hasattr(context, 'session_cookie') and e.errcode == 401:
                    # Unauthorized. Remove the session and try again.
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@ -968,7 +968,7 @@ class login_password(Backend, KerberosSession, HTTP_Status):
        try:
            ipautil.kinit_keytab(armor_principal, paths.IPA_KEYTAB, armor_path)
        except gssapi.exceptions.GSSError as e:
-            raise CCacheError(str(e))
+            raise CCacheError(message=unicode(e))

        # Format the user as a kerberos principal
        principal = krb5_format_principal_name(user, realm)