That was it. Moving forward. Again, many thanks.
I suspect FreeIPA/RH-IdM 4.7.x will not be released to CentOS/RHEL 7, right ? ______________________________________________________________________________________________ Daniel E. White daniel.e.wh...@nasa.gov<mailto:daniel.e.wh...@nasa.gov> NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290 From: Alexander Bokovoy <aboko...@redhat.com> Date: Thursday, February 13, 2020 at 14:14 To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Rob Crittenden <rcrit...@redhat.com>, Daniel White <daniel.e.wh...@nasa.gov> Subject: [EXTERNAL] Re: [Freeipa-users] Python-ing into FreeIPA - hit a glitch On to, 13 helmi 2020, White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Alexander, I followed your instructions and ran into a problem. These commands went as described: $ ipa service-add api-requester/`hostname` $ ipa service-allow-retrieve-keytab api-requester/`hostname` --users=me $ ipa service-allow-create-keytab api-requester/`hostname` --users=me $ ipa-getkeytab -Y GSSAPI -k api-requester.keytab -p api-requester/`me` $ KRB5_CLIENT_KTNAME=./api-requester.keytab KRB5CCNAME=./api.ccache ipa console (Custom IPA interactive Python console) api: IPA API object pp: pretty printer api.Command.whoami() {'object': 'service', 'command': 'service_show/1', 'arguments': ('api-requester/some-host.example....@example.com<mailto:api-requester/some-host.example....@example.com>',)} HOWEVER, when I tried this: api.Command.service_show('api-requester/some-host.example....@example.com<mailto:api-requester/some-host.example....@example.com>') I got this error: Traceback (most recent call last): File "<console>", line 1, in <module> File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in __call__ return self.__do_call(*args, **options) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 471, in __do_call params = self.convert(**params) File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 672, in convert (k, self.params[k].convert(v)) for (k, v) in kw.items() File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 672, in <genexpr> (k, self.params[k].convert(v)) for (k, v) in kw.items() File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 852, in convert return convert(value) File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 839, in convert return self._convert_scalar(value) File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 2152, in _convert_scalar return super(Principal, self)._convert_scalar(value) File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 862, in _convert_scalar raise ConversionError(name=self.name, error=ugettext(self.type_error)) ConversionError: invalid 'krbcanonicalname': must be Kerberos principal The argument I used in the "service_show" is identical to the argument returned from the "whoami" command. What is even stranger, If I exit the console and try : api.Command.ipa service-show api-requester/some-host.example....@example.com<mailto:api-requester/some-host.example....@example.com> I get the expected response. I ran this on a CentOS 7 IPA client v4.6.5-11.el7.centos.3.x86_64 The server is RHEL 7, IPA/RH-IdM server v4.6.5-11.el7_7.3.x86_64 Any ideas ? Can you try u'api-requester/...' as an argument to service_show(..)? Python 3 treats strings as unicode by default, Python 2 needs u'...'. When you run ipa CLI commands, we do Unicode transformation ourselves, but inside Python console it is your duty. BTW, note that services as members of group will not work in FreeIPA before 4.7, so you need Fedora or RHEL 8. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org