Rewrap errors in get_principal to CCacheError

Causes nicer error message when kerberos credentials are not available.

https://fedorahosted.org/freeipa/ticket/5272

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>

install/tools/ipa-adtrust-install

@@ -310,7 +310,7 @@ def main():
 
     try:
         principal = krb_utils.get_principal()
-    except gssapi.exceptions.GSSError as e:
+    except errors.CCacheError as e:
         sys.exit("Must have Kerberos credentials to setup AD trusts on server: %s" % e.message)
 
     try:

ipalib/krb_utils.py

@@ -173,9 +173,15 @@ def get_principal(ccache_name=None):
         default
     :returns:
       Default principal name as string
+    :raises:
+      errors.CCacheError if the principal cannot be retrieved from given
+      ccache
     '''
-    creds = get_credentials(ccache_name=ccache_name)
+    try:
-    return unicode(creds.name)
+        creds = get_credentials(ccache_name=ccache_name)
+        return unicode(creds.name)
+    except gssapi.exceptions.GSSError as e:
+        raise errors.CCacheError(message=unicode(e))
 
 def get_credentials_if_valid(name=None, ccache_name=None):
     '''

ipalib/rpc.py

@@ -67,7 +67,7 @@ import ipapython.nsslib
 from ipapython.nsslib import NSSHTTPS, NSSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
                              KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
-                             KRB5_REALM_CANT_RESOLVE, get_principal
+                             KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
 from ipapython.dn import DN
 from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
 from ipalib import api
@@ -535,8 +535,10 @@ class KerbTransport(SSLTransport):
             raise errors.BadCCacheFormat()
         elif minor == KRB5_REALM_CANT_RESOLVE:
             raise errors.CannotResolveKDC()
+        elif minor == KRB5_CC_NOTFOUND:
+            raise errors.CCacheError()
         else:
-            raise errors.KerberosError(major=e.maj_code, minor=minor)
+            raise errors.KerberosError(message=unicode(e))
 
     def get_host_info(self, host):
         """
@@ -842,7 +844,7 @@ class RPCClient(Connectible):
             # is still valid
             if not delegate:
                 rpc_uri = self.apply_session_cookie(rpc_uri)
-        except ValueError:
+        except (errors.CCacheError, ValueError):
             # No session key, do full Kerberos auth
             pass
         # This might be dangerous. Use at your own risk!
@@ -888,7 +890,7 @@ class RPCClient(Connectible):
                 break
             except KerberosError as krberr:
                 # kerberos error on one server is likely on all
-                raise errors.KerberosError(major=str(krberr), minor='')
+                raise errors.KerberosError(message=unicode(krberr))
             except ProtocolError as e:
                 if hasattr(context, 'session_cookie') and e.errcode == 401:
                     # Unauthorized. Remove the session and try again.

ipaserver/rpcserver.py

@@ -968,7 +968,7 @@ class login_password(Backend, KerberosSession, HTTP_Status):
         try:
             ipautil.kinit_keytab(armor_principal, paths.IPA_KEYTAB, armor_path)
         except gssapi.exceptions.GSSError as e:
-            raise CCacheError(str(e))
+            raise CCacheError(message=unicode(e))
 
         # Format the user as a kerberos principal
         principal = krb5_format_principal_name(user, realm)