Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On 04/20/2015 09:48 AM, Jan Cholasta wrote:
Dne 15.4.2015 v 15:17 Martin Babinsky napsal(a):
On 04/13/2015 02:16 PM, Martin Babinsky wrote:
On 04/09/2015 03:38 PM, Jan Cholasta wrote:
Some comments:
Patch 15:
1) The functions should be as similar as possible:
a) kinit_password() should have a 'ccache_path' argument
instead of
passing the path in KRB5CCNAME in the 'env' argument.
b) I don't think kinit_password() should have the 'env'
argument at
all. You can always call kinit with LC_ALL=C and set other variables in
os.environ if you want.
c) The arguments should have the same ordering.
d) Either set KRB5CCNAME in both kinit_keytab() and
kinit_password() or in none of them.
e) Either rename armor_ccache to armor_ccache_path or ccache_path
to ccache.
I have done some reordering of parameters in both functions so they are
very similar now and the parameter ordering should make more sense (at
least to me).
Neither of them sets KRB5CCNAME env. variable since I think that it is
not a very good practice and the developer should be responsible for
pointing to correct CCache path. Jan agrees with this and the other
patches are updated accordingly.
2) Space before comma in docstring:
+Given a ccache_path , keytab file and a principal kinit as that
user.
3) I would prefer if the default value of 'armor_ccache' in
kinit_password() was None.
Fixed.
Patch 16:
1) The callback should not be named 'validate_kinit_attempts_option',
but rather 'kinit_attempts_callback', as it doesn't just validate the
value.
Fixed.
2) Why is there the sys.maxint upper bound on --kinit-attempts again? A
comment with explanation would be nice.
It actually doesn't make much sense to have such upper bound, so I have
removed it from the check and updated the error message accordingly.
Patch 17:
1) Is there a reason for the ccache filename changes in DNSSEC code?
That was Petr Spacek's request since a sane naming of persistent Ccaches
makes debugging of Kerberos-related errors a bit easier for him.
Attaching updated patches.
Jan had some further suggestions so I am attaching updated patches which
should reflect them.
He also recommended to split the naming changes of DNSSEC daemon
credential caches to a separate patch, so I will submit them later when
this patchset is pushed.
ACK. The patches need to be rebased on top of ipa-4-1 though.
Right, attaching rebased patches.
--
Martin^3 Babinsky
From 221023c2680b5f4e7895cad9d969a6e81c38518d Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Mon, 16 Mar 2015 16:28:54 +0100
Subject: [PATCH 1/3] ipautil: new functions kinit_keytab and kinit_password
kinit_keytab replaces kinit_hostprincipal and performs Kerberos auth using
keytab file. Function is also able to repeat authentication multiple times
before giving up and raising Krb5Error.
kinit_password wraps kinit auth using password and also supports FAST
authentication using httpd armor ccache.
---
ipapython/ipautil.py | 71 +++-
1 file changed, 54 insertions(+), 17 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 24c090f91acf7af0dc6026cdc403dabcb019cc6d..5111c983ac40f7be64d2bc7088bea3855d79dd25 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1185,27 +1185,64 @@ def wait_for_open_socket(socket_name, timeout=0):
else:
raise e
-def kinit_hostprincipal(keytab, ccachedir, principal):
+
+def kinit_keytab(principal, keytab, ccache_name, attempts=1):
+
+Given a ccache_path, keytab file and a principal kinit as that user.
+
+The optional parameter 'attempts' specifies how many times the credential
+initialization should be attempted in case of non-responsive KDC.
-Given a ccache directory and a principal kinit as that user.
+errors_to_retry = {krbV.KRB5KDC_ERR_SVC_UNAVAILABLE,
+ krbV.KRB5_KDC_UNREACH}
+root_logger.debug(Initializing principal %s using keytab %s
+ % (principal, keytab))
+root_logger.debug(using ccache %s % ccache_name)
+for attempt in range(1, attempts + 1):
+try:
+krbcontext = krbV.default_context()
+ktab = krbV.Keytab(name=keytab, context=krbcontext)
+princ = krbV.Principal(name=principal, context=krbcontext)
+ccache = krbV.CCache(name=ccache_name, context=krbcontext,
+ primary_principal=princ)
+ccache.init(princ)
+ccache.init_creds_keytab(keytab=ktab, principal=princ)
+root_logger.debug(Attempt %d/%d: success
+ % (attempt, attempts))
+return
+except krbV.Krb5Error as e:
+if e.args[0] not in errors_to_retry:
+raise
+root_logger.debug(Attempt %d/%d: failed: %s
+ % (attempt, attempts, e))
+
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
Dne 20.4.2015 v 10:06 Martin Babinsky napsal(a): On 04/20/2015 09:48 AM, Jan Cholasta wrote: Dne 15.4.2015 v 15:17 Martin Babinsky napsal(a): On 04/13/2015 02:16 PM, Martin Babinsky wrote: On 04/09/2015 03:38 PM, Jan Cholasta wrote: Some comments: Patch 15: 1) The functions should be as similar as possible: a) kinit_password() should have a 'ccache_path' argument instead of passing the path in KRB5CCNAME in the 'env' argument. b) I don't think kinit_password() should have the 'env' argument at all. You can always call kinit with LC_ALL=C and set other variables in os.environ if you want. c) The arguments should have the same ordering. d) Either set KRB5CCNAME in both kinit_keytab() and kinit_password() or in none of them. e) Either rename armor_ccache to armor_ccache_path or ccache_path to ccache. I have done some reordering of parameters in both functions so they are very similar now and the parameter ordering should make more sense (at least to me). Neither of them sets KRB5CCNAME env. variable since I think that it is not a very good practice and the developer should be responsible for pointing to correct CCache path. Jan agrees with this and the other patches are updated accordingly. 2) Space before comma in docstring: +Given a ccache_path , keytab file and a principal kinit as that user. 3) I would prefer if the default value of 'armor_ccache' in kinit_password() was None. Fixed. Patch 16: 1) The callback should not be named 'validate_kinit_attempts_option', but rather 'kinit_attempts_callback', as it doesn't just validate the value. Fixed. 2) Why is there the sys.maxint upper bound on --kinit-attempts again? A comment with explanation would be nice. It actually doesn't make much sense to have such upper bound, so I have removed it from the check and updated the error message accordingly. Patch 17: 1) Is there a reason for the ccache filename changes in DNSSEC code? That was Petr Spacek's request since a sane naming of persistent Ccaches makes debugging of Kerberos-related errors a bit easier for him. Attaching updated patches. Jan had some further suggestions so I am attaching updated patches which should reflect them. He also recommended to split the naming changes of DNSSEC daemon credential caches to a separate patch, so I will submit them later when this patchset is pushed. ACK. The patches need to be rebased on top of ipa-4-1 though. Right, attaching rebased patches. Thanks. Pushed to: master: 3d2feac0e416c66ba37eee53ef5b3833c2c3e414 ipa-4-1: 0ca8254959f3566c322eb7b20c6d6522814d78d1 -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
Dne 15.4.2015 v 15:17 Martin Babinsky napsal(a): On 04/13/2015 02:16 PM, Martin Babinsky wrote: On 04/09/2015 03:38 PM, Jan Cholasta wrote: Some comments: Patch 15: 1) The functions should be as similar as possible: a) kinit_password() should have a 'ccache_path' argument instead of passing the path in KRB5CCNAME in the 'env' argument. b) I don't think kinit_password() should have the 'env' argument at all. You can always call kinit with LC_ALL=C and set other variables in os.environ if you want. c) The arguments should have the same ordering. d) Either set KRB5CCNAME in both kinit_keytab() and kinit_password() or in none of them. e) Either rename armor_ccache to armor_ccache_path or ccache_path to ccache. I have done some reordering of parameters in both functions so they are very similar now and the parameter ordering should make more sense (at least to me). Neither of them sets KRB5CCNAME env. variable since I think that it is not a very good practice and the developer should be responsible for pointing to correct CCache path. Jan agrees with this and the other patches are updated accordingly. 2) Space before comma in docstring: +Given a ccache_path , keytab file and a principal kinit as that user. 3) I would prefer if the default value of 'armor_ccache' in kinit_password() was None. Fixed. Patch 16: 1) The callback should not be named 'validate_kinit_attempts_option', but rather 'kinit_attempts_callback', as it doesn't just validate the value. Fixed. 2) Why is there the sys.maxint upper bound on --kinit-attempts again? A comment with explanation would be nice. It actually doesn't make much sense to have such upper bound, so I have removed it from the check and updated the error message accordingly. Patch 17: 1) Is there a reason for the ccache filename changes in DNSSEC code? That was Petr Spacek's request since a sane naming of persistent Ccaches makes debugging of Kerberos-related errors a bit easier for him. Attaching updated patches. Jan had some further suggestions so I am attaching updated patches which should reflect them. He also recommended to split the naming changes of DNSSEC daemon credential caches to a separate patch, so I will submit them later when this patchset is pushed. ACK. The patches need to be rebased on top of ipa-4-1 though. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On 04/13/2015 02:16 PM, Martin Babinsky wrote:
On 04/09/2015 03:38 PM, Jan Cholasta wrote:
Some comments:
Patch 15:
1) The functions should be as similar as possible:
a) kinit_password() should have a 'ccache_path' argument instead of
passing the path in KRB5CCNAME in the 'env' argument.
b) I don't think kinit_password() should have the 'env' argument at
all. You can always call kinit with LC_ALL=C and set other variables in
os.environ if you want.
c) The arguments should have the same ordering.
d) Either set KRB5CCNAME in both kinit_keytab() and
kinit_password() or in none of them.
e) Either rename armor_ccache to armor_ccache_path or ccache_path
to ccache.
I have done some reordering of parameters in both functions so they are
very similar now and the parameter ordering should make more sense (at
least to me).
Neither of them sets KRB5CCNAME env. variable since I think that it is
not a very good practice and the developer should be responsible for
pointing to correct CCache path. Jan agrees with this and the other
patches are updated accordingly.
2) Space before comma in docstring:
+Given a ccache_path , keytab file and a principal kinit as that
user.
3) I would prefer if the default value of 'armor_ccache' in
kinit_password() was None.
Fixed.
Patch 16:
1) The callback should not be named 'validate_kinit_attempts_option',
but rather 'kinit_attempts_callback', as it doesn't just validate the
value.
Fixed.
2) Why is there the sys.maxint upper bound on --kinit-attempts again? A
comment with explanation would be nice.
It actually doesn't make much sense to have such upper bound, so I have
removed it from the check and updated the error message accordingly.
Patch 17:
1) Is there a reason for the ccache filename changes in DNSSEC code?
That was Petr Spacek's request since a sane naming of persistent Ccaches
makes debugging of Kerberos-related errors a bit easier for him.
Attaching updated patches.
Jan had some further suggestions so I am attaching updated patches which
should reflect them.
He also recommended to split the naming changes of DNSSEC daemon
credential caches to a separate patch, so I will submit them later when
this patchset is pushed.
--
Martin^3 Babinsky
From f73731c388e39fe0ff6bbaaa534ddc80248956b6 Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Mon, 16 Mar 2015 16:28:54 +0100
Subject: [PATCH 1/3] ipautil: new functions kinit_keytab and kinit_password
kinit_keytab replaces kinit_hostprincipal and performs Kerberos auth using
keytab file. Function is also able to repeat authentication multiple times
before giving up and raising Krb5Error.
kinit_password wraps kinit auth using password and also supports FAST
authentication using httpd armor ccache.
---
ipapython/ipautil.py | 71 +++-
1 file changed, 54 insertions(+), 17 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 6a06a8e956552597dfd48128b60a1dd6a4cc92f6..bdbf8da49ba4136a7948d31616f1dcf348662ccf 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1185,27 +1185,64 @@ def wait_for_open_socket(socket_name, timeout=0):
else:
raise e
-def kinit_hostprincipal(keytab, ccachedir, principal):
+
+def kinit_keytab(principal, keytab, ccache_name, attempts=1):
+
+Given a ccache_path, keytab file and a principal kinit as that user.
+
+The optional parameter 'attempts' specifies how many times the credential
+initialization should be attempted in case of non-responsive KDC.
-Given a ccache directory and a principal kinit as that user.
+errors_to_retry = {krbV.KRB5KDC_ERR_SVC_UNAVAILABLE,
+ krbV.KRB5_KDC_UNREACH}
+root_logger.debug(Initializing principal %s using keytab %s
+ % (principal, keytab))
+root_logger.debug(using ccache %s % ccache_name)
+for attempt in range(1, attempts + 1):
+try:
+krbcontext = krbV.default_context()
+ktab = krbV.Keytab(name=keytab, context=krbcontext)
+princ = krbV.Principal(name=principal, context=krbcontext)
+ccache = krbV.CCache(name=ccache_name, context=krbcontext,
+ primary_principal=princ)
+ccache.init(princ)
+ccache.init_creds_keytab(keytab=ktab, principal=princ)
+root_logger.debug(Attempt %d/%d: success
+ % (attempt, attempts))
+return
+except krbV.Krb5Error as e:
+if e.args[0] not in errors_to_retry:
+raise
+root_logger.debug(Attempt %d/%d: failed: %s
+ % (attempt, attempts, e))
+if attempt == attempts:
+root_logger.debug(Maximum number of attempts (%d) reached
+ % attempts)
+raise
+
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On 04/09/2015 03:38 PM, Jan Cholasta wrote:
Some comments:
Patch 15:
1) The functions should be as similar as possible:
a) kinit_password() should have a 'ccache_path' argument instead of
passing the path in KRB5CCNAME in the 'env' argument.
b) I don't think kinit_password() should have the 'env' argument at
all. You can always call kinit with LC_ALL=C and set other variables in
os.environ if you want.
c) The arguments should have the same ordering.
d) Either set KRB5CCNAME in both kinit_keytab() and
kinit_password() or in none of them.
e) Either rename armor_ccache to armor_ccache_path or ccache_path
to ccache.
I have done some reordering of parameters in both functions so they are
very similar now and the parameter ordering should make more sense (at
least to me).
Neither of them sets KRB5CCNAME env. variable since I think that it is
not a very good practice and the developer should be responsible for
pointing to correct CCache path. Jan agrees with this and the other
patches are updated accordingly.
2) Space before comma in docstring:
+Given a ccache_path , keytab file and a principal kinit as that user.
3) I would prefer if the default value of 'armor_ccache' in
kinit_password() was None.
Fixed.
Patch 16:
1) The callback should not be named 'validate_kinit_attempts_option',
but rather 'kinit_attempts_callback', as it doesn't just validate the
value.
Fixed.
2) Why is there the sys.maxint upper bound on --kinit-attempts again? A
comment with explanation would be nice.
It actually doesn't make much sense to have such upper bound, so I have
removed it from the check and updated the error message accordingly.
Patch 17:
1) Is there a reason for the ccache filename changes in DNSSEC code?
That was Petr Spacek's request since a sane naming of persistent Ccaches
makes debugging of Kerberos-related errors a bit easier for him.
Attaching updated patches.
--
Martin^3 Babinsky
From 6c3e15f121e78e7c0c85ed4f1e167f88eeecc5ee Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Mon, 16 Mar 2015 16:28:54 +0100
Subject: [PATCH 1/3] ipautil: new functions kinit_keytab and kinit_password
kinit_keytab replaces kinit_hostprincipal and performs Kerberos auth using
keytab file. Function is also able to repeat authentication multiple times
before giving up and raising Krb5Error.
kinit_password wraps kinit auth using password and also supports FAST
authentication using httpd armor ccache.
---
ipapython/ipautil.py | 72 +++-
1 file changed, 55 insertions(+), 17 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 6a06a8e956552597dfd48128b60a1dd6a4cc92f6..963ede59469e41d678e7b12f46ff94c1b53acfdc 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1185,27 +1185,65 @@ def wait_for_open_socket(socket_name, timeout=0):
else:
raise e
-def kinit_hostprincipal(keytab, ccachedir, principal):
+
+def kinit_keytab(principal, keytab, ccache_path, attempts=1):
+
+Given a ccache_path, keytab file and a principal kinit as that user.
+
+The optional parameter 'attempts' specifies how many times the credential
+initialization should be attempted in case of non-responsive KDC.
-Given a ccache directory and a principal kinit as that user.
+errors_to_retry = {krbV.KRB5KDC_ERR_SVC_UNAVAILABLE,
+ krbV.KRB5_KDC_UNREACH}
+root_logger.debug(Initializing principal %s using keytab %s
+ % (principal, keytab))
+root_logger.debug(using ccache path %s % ccache_path)
+for attempt in range(1, attempts + 1):
+try:
+krbcontext = krbV.default_context()
+ktab = krbV.Keytab(name=keytab, context=krbcontext)
+princ = krbV.Principal(name=principal, context=krbcontext)
+ccache = krbV.CCache(name=ccache_path, context=krbcontext,
+ primary_principal=princ)
+ccache.init(princ)
+ccache.init_creds_keytab(keytab=ktab, principal=princ)
+root_logger.debug(Attempt %d/%d: success
+ % (attempt, attempts))
+return
+except krbV.Krb5Error as e:
+if e.args[0] not in errors_to_retry:
+raise
+root_logger.debug(Attempt %d/%d: failed: %s
+ % (attempt, attempts, e))
+if attempt == attempts:
+root_logger.debug(Maximum number of attempts (%d) reached
+ % attempts)
+raise
+root_logger.debug(Waiting 5 seconds before next retry)
+time.sleep(5)
-This blindly overwrites the current CCNAME so if you need to save
-it do so before calling this function.
-Thus far this is used to kinit as the local host.
+def kinit_password(principal, password, ccache_path,
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On Thu, 2015-04-09 at 15:38 +0200, Jan Cholasta wrote: Dne 9.4.2015 v 14:41 Simo Sorce napsal(a): On Wed, 2015-03-25 at 11:52 +0100, Martin Babinsky wrote: On 03/23/2015 03:13 PM, Simo Sorce wrote: On Mon, 2015-03-23 at 14:22 +0100, Petr Spacek wrote: On 23.3.2015 14:08, Simo Sorce wrote: On Mon, 2015-03-23 at 12:48 +0100, Martin Babinsky wrote: On 03/17/2015 06:00 PM, Simo Sorce wrote: On Mon, 2015-03-16 at 13:30 +0100, Martin Babinsky wrote: On 03/16/2015 12:15 PM, Martin Kosek wrote: On 03/13/2015 05:37 PM, Martin Babinsky wrote: Attaching the next iteration of patches. I have tried my best to reword the ipa-client-install man page bit about the new option. Any suggestions to further improve it are welcome. I have also slightly modified the 'kinit_keytab' function so that in Kerberos errors are reported for each attempt and the text of the last error is retained when finally raising exception. The approach looks very good. I think that my only concern with this patch is this part: +ccache.init_creds_keytab(keytab=ktab, principal=princ) ... +except krbV.Krb5Error as e: +last_exc = str(e) +root_logger.debug(Attempt %d/%d: failed: %s + % (attempt, attempts, last_exc)) +time.sleep(1) + +root_logger.debug(Maximum number of attempts (%d) reached + % attempts) +raise StandardError(Error initializing principal %s: %s +% (principal, last_exc)) The problem here is that this function will raise the super-generic StandardError instead of the proper with all the context and information about the error that the caller can then process. I think that except krbV.Krb5Error as e: if attempt == max_attempts: log something raise would be better. Yes that seems reasonable. I'm just thinking whether we should re-raise Krb5Error or raise ipalib.errors.KerberosError? the latter options makes more sense to me as we would not have to additionally import Krb5Error everywhere and it would also make the resulting errors more consistent. I am thinking about someting like this: except krbV.Krb5Error as e: if attempt == attempts: # log that we have reaches maximum number of attempts raise KerberosError(minor=str(e)) What do you think? Are you retrying on any error ? Please do *not* do that, if you retry many times on an error that indicates the password is wrong you may end up locking an administrative account. If you want to retry you should do it only for very specific timeout errors. Simo. I have taken a look at the logs attached to the original BZ (https://bugzilla.redhat.com/show_bug.cgi?id=1161722). In ipaclient-install.log the kinit error is: Cannot contact any KDC for realm 'ITW.USPTO.GOV' while getting initial credentials which can be translated to krbV.KRB5_KDC_UNREACH error. However, krb5kdc.log (http://pastebin.test.redhat.com/271394) reports errors which are seemingly unrelated to the root cause (kinit timing out on getting host TGT). Thus I'm not quite sure which errors should we chceck against in this case, anyone care to advise? These are potential candidates: KRB5KDC_ERR_SVC_UNAVAILABLE, A service is not available that is required to process the request KRB5KRB_ERR_RESPONSE_TOO_BIG,Response too big for UDP, retry with TCP KRB5_REALM_UNKNOWN, Cannot find KDC for requested realm KRB5_KDC_UNREACH,Cannot contact any KDC for requested realm The only ones that you should retry on, at first glance are KRB5_KDC_UNREACH, KRB5KDC_ERR_SVC_UNAVAILABLE. You should never see KRB5KRB_ERR_RESPONSE_TOO_BIG in the script as it should be handled automatically by the library, and if you get KRB5_REALM_UNKNOWN I do not think that retrying will make any difference. I might be wrong but I was under the impression that this feature was also for workarounding replication delay - service is not available / key is not present / something like that. (This could happen if host/principal was added to one server but then the client connected to another server or so.) If we have that problem we should instead use a temporary krb5.conf file that lists explicitly only the server we are joining. Simo. This is already done since ipa-3-0: by default only one server/KDC is used during client install so there are actually no problems with replication delay, only with KDC timeouts. Anyway I'm sending updated patches. LGTM! Simo. Some comments: Patch 15: 1) The functions should be as similar as possible: a) kinit_password() should have a 'ccache_path' argument instead of passing the path in KRB5CCNAME in
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
Dne 9.4.2015 v 14:41 Simo Sorce napsal(a): On Wed, 2015-03-25 at 11:52 +0100, Martin Babinsky wrote: On 03/23/2015 03:13 PM, Simo Sorce wrote: On Mon, 2015-03-23 at 14:22 +0100, Petr Spacek wrote: On 23.3.2015 14:08, Simo Sorce wrote: On Mon, 2015-03-23 at 12:48 +0100, Martin Babinsky wrote: On 03/17/2015 06:00 PM, Simo Sorce wrote: On Mon, 2015-03-16 at 13:30 +0100, Martin Babinsky wrote: On 03/16/2015 12:15 PM, Martin Kosek wrote: On 03/13/2015 05:37 PM, Martin Babinsky wrote: Attaching the next iteration of patches. I have tried my best to reword the ipa-client-install man page bit about the new option. Any suggestions to further improve it are welcome. I have also slightly modified the 'kinit_keytab' function so that in Kerberos errors are reported for each attempt and the text of the last error is retained when finally raising exception. The approach looks very good. I think that my only concern with this patch is this part: +ccache.init_creds_keytab(keytab=ktab, principal=princ) ... +except krbV.Krb5Error as e: +last_exc = str(e) +root_logger.debug(Attempt %d/%d: failed: %s + % (attempt, attempts, last_exc)) +time.sleep(1) + +root_logger.debug(Maximum number of attempts (%d) reached + % attempts) +raise StandardError(Error initializing principal %s: %s +% (principal, last_exc)) The problem here is that this function will raise the super-generic StandardError instead of the proper with all the context and information about the error that the caller can then process. I think that except krbV.Krb5Error as e: if attempt == max_attempts: log something raise would be better. Yes that seems reasonable. I'm just thinking whether we should re-raise Krb5Error or raise ipalib.errors.KerberosError? the latter options makes more sense to me as we would not have to additionally import Krb5Error everywhere and it would also make the resulting errors more consistent. I am thinking about someting like this: except krbV.Krb5Error as e: if attempt == attempts: # log that we have reaches maximum number of attempts raise KerberosError(minor=str(e)) What do you think? Are you retrying on any error ? Please do *not* do that, if you retry many times on an error that indicates the password is wrong you may end up locking an administrative account. If you want to retry you should do it only for very specific timeout errors. Simo. I have taken a look at the logs attached to the original BZ (https://bugzilla.redhat.com/show_bug.cgi?id=1161722). In ipaclient-install.log the kinit error is: Cannot contact any KDC for realm 'ITW.USPTO.GOV' while getting initial credentials which can be translated to krbV.KRB5_KDC_UNREACH error. However, krb5kdc.log (http://pastebin.test.redhat.com/271394) reports errors which are seemingly unrelated to the root cause (kinit timing out on getting host TGT). Thus I'm not quite sure which errors should we chceck against in this case, anyone care to advise? These are potential candidates: KRB5KDC_ERR_SVC_UNAVAILABLE, A service is not available that is required to process the request KRB5KRB_ERR_RESPONSE_TOO_BIG,Response too big for UDP, retry with TCP KRB5_REALM_UNKNOWN, Cannot find KDC for requested realm KRB5_KDC_UNREACH,Cannot contact any KDC for requested realm The only ones that you should retry on, at first glance are KRB5_KDC_UNREACH, KRB5KDC_ERR_SVC_UNAVAILABLE. You should never see KRB5KRB_ERR_RESPONSE_TOO_BIG in the script as it should be handled automatically by the library, and if you get KRB5_REALM_UNKNOWN I do not think that retrying will make any difference. I might be wrong but I was under the impression that this feature was also for workarounding replication delay - service is not available / key is not present / something like that. (This could happen if host/principal was added to one server but then the client connected to another server or so.) If we have that problem we should instead use a temporary krb5.conf file that lists explicitly only the server we are joining. Simo. This is already done since ipa-3-0: by default only one server/KDC is used during client install so there are actually no problems with replication delay, only with KDC timeouts. Anyway I'm sending updated patches. LGTM! Simo. Some comments: Patch 15: 1) The functions should be as similar as possible: a) kinit_password() should have a 'ccache_path' argument instead of passing the path in KRB5CCNAME in the 'env' argument. b) I don't think kinit_password() should have the 'env' argument at all. You can always call kinit with LC_ALL=C and set other variables in os.environ if you want. c) The arguments should have the same ordering. d) Either set KRB5CCNAME in both
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On Wed, 2015-03-25 at 11:52 +0100, Martin Babinsky wrote: On 03/23/2015 03:13 PM, Simo Sorce wrote: On Mon, 2015-03-23 at 14:22 +0100, Petr Spacek wrote: On 23.3.2015 14:08, Simo Sorce wrote: On Mon, 2015-03-23 at 12:48 +0100, Martin Babinsky wrote: On 03/17/2015 06:00 PM, Simo Sorce wrote: On Mon, 2015-03-16 at 13:30 +0100, Martin Babinsky wrote: On 03/16/2015 12:15 PM, Martin Kosek wrote: On 03/13/2015 05:37 PM, Martin Babinsky wrote: Attaching the next iteration of patches. I have tried my best to reword the ipa-client-install man page bit about the new option. Any suggestions to further improve it are welcome. I have also slightly modified the 'kinit_keytab' function so that in Kerberos errors are reported for each attempt and the text of the last error is retained when finally raising exception. The approach looks very good. I think that my only concern with this patch is this part: +ccache.init_creds_keytab(keytab=ktab, principal=princ) ... +except krbV.Krb5Error as e: +last_exc = str(e) +root_logger.debug(Attempt %d/%d: failed: %s + % (attempt, attempts, last_exc)) +time.sleep(1) + +root_logger.debug(Maximum number of attempts (%d) reached + % attempts) +raise StandardError(Error initializing principal %s: %s +% (principal, last_exc)) The problem here is that this function will raise the super-generic StandardError instead of the proper with all the context and information about the error that the caller can then process. I think that except krbV.Krb5Error as e: if attempt == max_attempts: log something raise would be better. Yes that seems reasonable. I'm just thinking whether we should re-raise Krb5Error or raise ipalib.errors.KerberosError? the latter options makes more sense to me as we would not have to additionally import Krb5Error everywhere and it would also make the resulting errors more consistent. I am thinking about someting like this: except krbV.Krb5Error as e: if attempt == attempts: # log that we have reaches maximum number of attempts raise KerberosError(minor=str(e)) What do you think? Are you retrying on any error ? Please do *not* do that, if you retry many times on an error that indicates the password is wrong you may end up locking an administrative account. If you want to retry you should do it only for very specific timeout errors. Simo. I have taken a look at the logs attached to the original BZ (https://bugzilla.redhat.com/show_bug.cgi?id=1161722). In ipaclient-install.log the kinit error is: Cannot contact any KDC for realm 'ITW.USPTO.GOV' while getting initial credentials which can be translated to krbV.KRB5_KDC_UNREACH error. However, krb5kdc.log (http://pastebin.test.redhat.com/271394) reports errors which are seemingly unrelated to the root cause (kinit timing out on getting host TGT). Thus I'm not quite sure which errors should we chceck against in this case, anyone care to advise? These are potential candidates: KRB5KDC_ERR_SVC_UNAVAILABLE, A service is not available that is required to process the request KRB5KRB_ERR_RESPONSE_TOO_BIG,Response too big for UDP, retry with TCP KRB5_REALM_UNKNOWN, Cannot find KDC for requested realm KRB5_KDC_UNREACH,Cannot contact any KDC for requested realm The only ones that you should retry on, at first glance are KRB5_KDC_UNREACH, KRB5KDC_ERR_SVC_UNAVAILABLE. You should never see KRB5KRB_ERR_RESPONSE_TOO_BIG in the script as it should be handled automatically by the library, and if you get KRB5_REALM_UNKNOWN I do not think that retrying will make any difference. I might be wrong but I was under the impression that this feature was also for workarounding replication delay - service is not available / key is not present / something like that. (This could happen if host/principal was added to one server but then the client connected to another server or so.) If we have that problem we should instead use a temporary krb5.conf file that lists explicitly only the server we are joining. Simo. This is already done since ipa-3-0: by default only one server/KDC is used during client install so there are actually no problems with replication delay, only with KDC timeouts. Anyway I'm sending updated patches. LGTM! Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On 03/23/2015 03:13 PM, Simo Sorce wrote: On Mon, 2015-03-23 at 14:22 +0100, Petr Spacek wrote: On 23.3.2015 14:08, Simo Sorce wrote: On Mon, 2015-03-23 at 12:48 +0100, Martin Babinsky wrote: On 03/17/2015 06:00 PM, Simo Sorce wrote: On Mon, 2015-03-16 at 13:30 +0100, Martin Babinsky wrote: On 03/16/2015 12:15 PM, Martin Kosek wrote: On 03/13/2015 05:37 PM, Martin Babinsky wrote: Attaching the next iteration of patches. I have tried my best to reword the ipa-client-install man page bit about the new option. Any suggestions to further improve it are welcome. I have also slightly modified the 'kinit_keytab' function so that in Kerberos errors are reported for each attempt and the text of the last error is retained when finally raising exception. The approach looks very good. I think that my only concern with this patch is this part: +ccache.init_creds_keytab(keytab=ktab, principal=princ) ... +except krbV.Krb5Error as e: +last_exc = str(e) +root_logger.debug(Attempt %d/%d: failed: %s + % (attempt, attempts, last_exc)) +time.sleep(1) + +root_logger.debug(Maximum number of attempts (%d) reached + % attempts) +raise StandardError(Error initializing principal %s: %s +% (principal, last_exc)) The problem here is that this function will raise the super-generic StandardError instead of the proper with all the context and information about the error that the caller can then process. I think that except krbV.Krb5Error as e: if attempt == max_attempts: log something raise would be better. Yes that seems reasonable. I'm just thinking whether we should re-raise Krb5Error or raise ipalib.errors.KerberosError? the latter options makes more sense to me as we would not have to additionally import Krb5Error everywhere and it would also make the resulting errors more consistent. I am thinking about someting like this: except krbV.Krb5Error as e: if attempt == attempts: # log that we have reaches maximum number of attempts raise KerberosError(minor=str(e)) What do you think? Are you retrying on any error ? Please do *not* do that, if you retry many times on an error that indicates the password is wrong you may end up locking an administrative account. If you want to retry you should do it only for very specific timeout errors. Simo. I have taken a look at the logs attached to the original BZ (https://bugzilla.redhat.com/show_bug.cgi?id=1161722). In ipaclient-install.log the kinit error is: Cannot contact any KDC for realm 'ITW.USPTO.GOV' while getting initial credentials which can be translated to krbV.KRB5_KDC_UNREACH error. However, krb5kdc.log (http://pastebin.test.redhat.com/271394) reports errors which are seemingly unrelated to the root cause (kinit timing out on getting host TGT). Thus I'm not quite sure which errors should we chceck against in this case, anyone care to advise? These are potential candidates: KRB5KDC_ERR_SVC_UNAVAILABLE, A service is not available that is required to process the request KRB5KRB_ERR_RESPONSE_TOO_BIG,Response too big for UDP, retry with TCP KRB5_REALM_UNKNOWN, Cannot find KDC for requested realm KRB5_KDC_UNREACH,Cannot contact any KDC for requested realm The only ones that you should retry on, at first glance are KRB5_KDC_UNREACH, KRB5KDC_ERR_SVC_UNAVAILABLE. You should never see KRB5KRB_ERR_RESPONSE_TOO_BIG in the script as it should be handled automatically by the library, and if you get KRB5_REALM_UNKNOWN I do not think that retrying will make any difference. I might be wrong but I was under the impression that this feature was also for workarounding replication delay - service is not available / key is not present / something like that. (This could happen if host/principal was added to one server but then the client connected to another server or so.) If we have that problem we should instead use a temporary krb5.conf file that lists explicitly only the server we are joining. Simo. This is already done since ipa-3-0: by default only one server/KDC is used during client install so there are actually no problems with replication delay, only with KDC timeouts. Anyway I'm sending updated patches. -- Martin^3 Babinsky From a3ff82d4ec311b056470905145f9d95f1c679c89 Mon Sep 17 00:00:00 2001 From: Martin Babinsky mbabi...@redhat.com Date: Mon, 16 Mar 2015 16:28:54 +0100 Subject: [PATCH 1/3] ipautil: new functions kinit_keytab and kinit_password kinit_keytab replaces kinit_hostprincipal and performs Kerberos auth using keytab file. Function is also able to repeat authentication multiple times when KDC is unreachable for some reason. kinit_password wraps kinit auth using password and also supports FAST authentication using httpd armor ccache. --- ipapython/ipautil.py | 67
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On 23.3.2015 14:08, Simo Sorce wrote: On Mon, 2015-03-23 at 12:48 +0100, Martin Babinsky wrote: On 03/17/2015 06:00 PM, Simo Sorce wrote: On Mon, 2015-03-16 at 13:30 +0100, Martin Babinsky wrote: On 03/16/2015 12:15 PM, Martin Kosek wrote: On 03/13/2015 05:37 PM, Martin Babinsky wrote: Attaching the next iteration of patches. I have tried my best to reword the ipa-client-install man page bit about the new option. Any suggestions to further improve it are welcome. I have also slightly modified the 'kinit_keytab' function so that in Kerberos errors are reported for each attempt and the text of the last error is retained when finally raising exception. The approach looks very good. I think that my only concern with this patch is this part: +ccache.init_creds_keytab(keytab=ktab, principal=princ) ... +except krbV.Krb5Error as e: +last_exc = str(e) +root_logger.debug(Attempt %d/%d: failed: %s + % (attempt, attempts, last_exc)) +time.sleep(1) + +root_logger.debug(Maximum number of attempts (%d) reached + % attempts) +raise StandardError(Error initializing principal %s: %s +% (principal, last_exc)) The problem here is that this function will raise the super-generic StandardError instead of the proper with all the context and information about the error that the caller can then process. I think that except krbV.Krb5Error as e: if attempt == max_attempts: log something raise would be better. Yes that seems reasonable. I'm just thinking whether we should re-raise Krb5Error or raise ipalib.errors.KerberosError? the latter options makes more sense to me as we would not have to additionally import Krb5Error everywhere and it would also make the resulting errors more consistent. I am thinking about someting like this: except krbV.Krb5Error as e: if attempt == attempts: # log that we have reaches maximum number of attempts raise KerberosError(minor=str(e)) What do you think? Are you retrying on any error ? Please do *not* do that, if you retry many times on an error that indicates the password is wrong you may end up locking an administrative account. If you want to retry you should do it only for very specific timeout errors. Simo. I have taken a look at the logs attached to the original BZ (https://bugzilla.redhat.com/show_bug.cgi?id=1161722). In ipaclient-install.log the kinit error is: Cannot contact any KDC for realm 'ITW.USPTO.GOV' while getting initial credentials which can be translated to krbV.KRB5_KDC_UNREACH error. However, krb5kdc.log (http://pastebin.test.redhat.com/271394) reports errors which are seemingly unrelated to the root cause (kinit timing out on getting host TGT). Thus I'm not quite sure which errors should we chceck against in this case, anyone care to advise? These are potential candidates: KRB5KDC_ERR_SVC_UNAVAILABLE, A service is not available that is required to process the request KRB5KRB_ERR_RESPONSE_TOO_BIG,Response too big for UDP, retry with TCP KRB5_REALM_UNKNOWN, Cannot find KDC for requested realm KRB5_KDC_UNREACH,Cannot contact any KDC for requested realm The only ones that you should retry on, at first glance are KRB5_KDC_UNREACH, KRB5KDC_ERR_SVC_UNAVAILABLE. You should never see KRB5KRB_ERR_RESPONSE_TOO_BIG in the script as it should be handled automatically by the library, and if you get KRB5_REALM_UNKNOWN I do not think that retrying will make any difference. I might be wrong but I was under the impression that this feature was also for workarounding replication delay - service is not available / key is not present / something like that. (This could happen if host/principal was added to one server but then the client connected to another server or so.) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On Mon, 2015-03-23 at 12:48 +0100, Martin Babinsky wrote: On 03/17/2015 06:00 PM, Simo Sorce wrote: On Mon, 2015-03-16 at 13:30 +0100, Martin Babinsky wrote: On 03/16/2015 12:15 PM, Martin Kosek wrote: On 03/13/2015 05:37 PM, Martin Babinsky wrote: Attaching the next iteration of patches. I have tried my best to reword the ipa-client-install man page bit about the new option. Any suggestions to further improve it are welcome. I have also slightly modified the 'kinit_keytab' function so that in Kerberos errors are reported for each attempt and the text of the last error is retained when finally raising exception. The approach looks very good. I think that my only concern with this patch is this part: +ccache.init_creds_keytab(keytab=ktab, principal=princ) ... +except krbV.Krb5Error as e: +last_exc = str(e) +root_logger.debug(Attempt %d/%d: failed: %s + % (attempt, attempts, last_exc)) +time.sleep(1) + +root_logger.debug(Maximum number of attempts (%d) reached + % attempts) +raise StandardError(Error initializing principal %s: %s +% (principal, last_exc)) The problem here is that this function will raise the super-generic StandardError instead of the proper with all the context and information about the error that the caller can then process. I think that except krbV.Krb5Error as e: if attempt == max_attempts: log something raise would be better. Yes that seems reasonable. I'm just thinking whether we should re-raise Krb5Error or raise ipalib.errors.KerberosError? the latter options makes more sense to me as we would not have to additionally import Krb5Error everywhere and it would also make the resulting errors more consistent. I am thinking about someting like this: except krbV.Krb5Error as e: if attempt == attempts: # log that we have reaches maximum number of attempts raise KerberosError(minor=str(e)) What do you think? Are you retrying on any error ? Please do *not* do that, if you retry many times on an error that indicates the password is wrong you may end up locking an administrative account. If you want to retry you should do it only for very specific timeout errors. Simo. I have taken a look at the logs attached to the original BZ (https://bugzilla.redhat.com/show_bug.cgi?id=1161722). In ipaclient-install.log the kinit error is: Cannot contact any KDC for realm 'ITW.USPTO.GOV' while getting initial credentials which can be translated to krbV.KRB5_KDC_UNREACH error. However, krb5kdc.log (http://pastebin.test.redhat.com/271394) reports errors which are seemingly unrelated to the root cause (kinit timing out on getting host TGT). Thus I'm not quite sure which errors should we chceck against in this case, anyone care to advise? These are potential candidates: KRB5KDC_ERR_SVC_UNAVAILABLE, A service is not available that is required to process the request KRB5KRB_ERR_RESPONSE_TOO_BIG,Response too big for UDP, retry with TCP KRB5_REALM_UNKNOWN, Cannot find KDC for requested realm KRB5_KDC_UNREACH,Cannot contact any KDC for requested realm The only ones that you should retry on, at first glance are KRB5_KDC_UNREACH, KRB5KDC_ERR_SVC_UNAVAILABLE. You should never see KRB5KRB_ERR_RESPONSE_TOO_BIG in the script as it should be handled automatically by the library, and if you get KRB5_REALM_UNKNOWN I do not think that retrying will make any difference. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On 03/17/2015 06:00 PM, Simo Sorce wrote: On Mon, 2015-03-16 at 13:30 +0100, Martin Babinsky wrote: On 03/16/2015 12:15 PM, Martin Kosek wrote: On 03/13/2015 05:37 PM, Martin Babinsky wrote: Attaching the next iteration of patches. I have tried my best to reword the ipa-client-install man page bit about the new option. Any suggestions to further improve it are welcome. I have also slightly modified the 'kinit_keytab' function so that in Kerberos errors are reported for each attempt and the text of the last error is retained when finally raising exception. The approach looks very good. I think that my only concern with this patch is this part: +ccache.init_creds_keytab(keytab=ktab, principal=princ) ... +except krbV.Krb5Error as e: +last_exc = str(e) +root_logger.debug(Attempt %d/%d: failed: %s + % (attempt, attempts, last_exc)) +time.sleep(1) + +root_logger.debug(Maximum number of attempts (%d) reached + % attempts) +raise StandardError(Error initializing principal %s: %s +% (principal, last_exc)) The problem here is that this function will raise the super-generic StandardError instead of the proper with all the context and information about the error that the caller can then process. I think that except krbV.Krb5Error as e: if attempt == max_attempts: log something raise would be better. Yes that seems reasonable. I'm just thinking whether we should re-raise Krb5Error or raise ipalib.errors.KerberosError? the latter options makes more sense to me as we would not have to additionally import Krb5Error everywhere and it would also make the resulting errors more consistent. I am thinking about someting like this: except krbV.Krb5Error as e: if attempt == attempts: # log that we have reaches maximum number of attempts raise KerberosError(minor=str(e)) What do you think? Are you retrying on any error ? Please do *not* do that, if you retry many times on an error that indicates the password is wrong you may end up locking an administrative account. If you want to retry you should do it only for very specific timeout errors. Simo. I have taken a look at the logs attached to the original BZ (https://bugzilla.redhat.com/show_bug.cgi?id=1161722). In ipaclient-install.log the kinit error is: Cannot contact any KDC for realm 'ITW.USPTO.GOV' while getting initial credentials which can be translated to krbV.KRB5_KDC_UNREACH error. However, krb5kdc.log (http://pastebin.test.redhat.com/271394) reports errors which are seemingly unrelated to the root cause (kinit timing out on getting host TGT). Thus I'm not quite sure which errors should we chceck against in this case, anyone care to advise? These are potential candidates: KRB5KDC_ERR_SVC_UNAVAILABLE, A service is not available that is required to process the request KRB5KRB_ERR_RESPONSE_TOO_BIG,Response too big for UDP, retry with TCP KRB5_REALM_UNKNOWN, Cannot find KDC for requested realm KRB5_KDC_UNREACH,Cannot contact any KDC for requested realm -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On Mon, 2015-03-23 at 14:22 +0100, Petr Spacek wrote: On 23.3.2015 14:08, Simo Sorce wrote: On Mon, 2015-03-23 at 12:48 +0100, Martin Babinsky wrote: On 03/17/2015 06:00 PM, Simo Sorce wrote: On Mon, 2015-03-16 at 13:30 +0100, Martin Babinsky wrote: On 03/16/2015 12:15 PM, Martin Kosek wrote: On 03/13/2015 05:37 PM, Martin Babinsky wrote: Attaching the next iteration of patches. I have tried my best to reword the ipa-client-install man page bit about the new option. Any suggestions to further improve it are welcome. I have also slightly modified the 'kinit_keytab' function so that in Kerberos errors are reported for each attempt and the text of the last error is retained when finally raising exception. The approach looks very good. I think that my only concern with this patch is this part: +ccache.init_creds_keytab(keytab=ktab, principal=princ) ... +except krbV.Krb5Error as e: +last_exc = str(e) +root_logger.debug(Attempt %d/%d: failed: %s + % (attempt, attempts, last_exc)) +time.sleep(1) + +root_logger.debug(Maximum number of attempts (%d) reached + % attempts) +raise StandardError(Error initializing principal %s: %s +% (principal, last_exc)) The problem here is that this function will raise the super-generic StandardError instead of the proper with all the context and information about the error that the caller can then process. I think that except krbV.Krb5Error as e: if attempt == max_attempts: log something raise would be better. Yes that seems reasonable. I'm just thinking whether we should re-raise Krb5Error or raise ipalib.errors.KerberosError? the latter options makes more sense to me as we would not have to additionally import Krb5Error everywhere and it would also make the resulting errors more consistent. I am thinking about someting like this: except krbV.Krb5Error as e: if attempt == attempts: # log that we have reaches maximum number of attempts raise KerberosError(minor=str(e)) What do you think? Are you retrying on any error ? Please do *not* do that, if you retry many times on an error that indicates the password is wrong you may end up locking an administrative account. If you want to retry you should do it only for very specific timeout errors. Simo. I have taken a look at the logs attached to the original BZ (https://bugzilla.redhat.com/show_bug.cgi?id=1161722). In ipaclient-install.log the kinit error is: Cannot contact any KDC for realm 'ITW.USPTO.GOV' while getting initial credentials which can be translated to krbV.KRB5_KDC_UNREACH error. However, krb5kdc.log (http://pastebin.test.redhat.com/271394) reports errors which are seemingly unrelated to the root cause (kinit timing out on getting host TGT). Thus I'm not quite sure which errors should we chceck against in this case, anyone care to advise? These are potential candidates: KRB5KDC_ERR_SVC_UNAVAILABLE, A service is not available that is required to process the request KRB5KRB_ERR_RESPONSE_TOO_BIG,Response too big for UDP, retry with TCP KRB5_REALM_UNKNOWN, Cannot find KDC for requested realm KRB5_KDC_UNREACH,Cannot contact any KDC for requested realm The only ones that you should retry on, at first glance are KRB5_KDC_UNREACH, KRB5KDC_ERR_SVC_UNAVAILABLE. You should never see KRB5KRB_ERR_RESPONSE_TOO_BIG in the script as it should be handled automatically by the library, and if you get KRB5_REALM_UNKNOWN I do not think that retrying will make any difference. I might be wrong but I was under the impression that this feature was also for workarounding replication delay - service is not available / key is not present / something like that. (This could happen if host/principal was added to one server but then the client connected to another server or so.) If we have that problem we should instead use a temporary krb5.conf file that lists explicitly only the server we are joining. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On 16.3.2015 17:20, Martin Babinsky wrote:
On 03/16/2015 01:35 PM, Jan Cholasta wrote:
Dne 16.3.2015 v 13:30 Martin Babinsky napsal(a):
On 03/16/2015 12:15 PM, Martin Kosek wrote:
On 03/13/2015 05:37 PM, Martin Babinsky wrote:
Attaching the next iteration of patches.
Very good! I hopefully have last two nitpicks :-) See below.
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index
4116d974e620341119b56fad3cff1bda48af3bab..cd03e9fd17b60b8b7324d0ccd436a10f7556baf0
100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1175,27 +1175,61 @@ def wait_for_open_socket(socket_name, timeout=0):
else:
raise e
-def kinit_hostprincipal(keytab, ccachedir, principal):
+
+def kinit_keytab(keytab, ccache_path, principal, attempts=1):
-Given a ccache directory and a principal kinit as that user.
+Given a ccache_path , keytab file and a principal kinit as that user.
+
+The optional parameter 'attempts' specifies how many times the credential
+initialization should be attempted before giving up and raising
+StandardError.
This blindly overwrites the current CCNAME so if you need to save
it do so before calling this function.
+This function is also not thread-safe since it modifies environment
+variables.
+
Thus far this is used to kinit as the local host.
This note can be deleted because it is used elsewhere too.
-try:
-ccache_file = 'FILE:%s/ccache' % ccachedir
-krbcontext = krbV.default_context()
-ktab = krbV.Keytab(name=keytab, context=krbcontext)
-princ = krbV.Principal(name=principal, context=krbcontext)
-os.environ['KRB5CCNAME'] = ccache_file
-ccache = krbV.CCache(name=ccache_file, context=krbcontext,
primary_principal=princ)
-ccache.init(princ)
-ccache.init_creds_keytab(keytab=ktab, principal=princ)
-return ccache_file
-except krbV.Krb5Error, e:
-raise StandardError('Error initializing principal %s in %s: %s' %
(principal, keytab, str(e)))
+root_logger.debug(Initializing principal %s using keytab %s
+ % (principal, keytab))
I'm sorry for nitpicking but it would be nice to log ccache_file too. Krb5
libs return quite weird errors when CC cache is not accessible so it helps to
have the path at hand.
--
Petr^2 Spacek
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On 03/17/2015 12:09 PM, Petr Spacek wrote:
On 16.3.2015 17:20, Martin Babinsky wrote:
On 03/16/2015 01:35 PM, Jan Cholasta wrote:
Dne 16.3.2015 v 13:30 Martin Babinsky napsal(a):
On 03/16/2015 12:15 PM, Martin Kosek wrote:
On 03/13/2015 05:37 PM, Martin Babinsky wrote:
Attaching the next iteration of patches.
Very good! I hopefully have last two nitpicks :-) See below.
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index
4116d974e620341119b56fad3cff1bda48af3bab..cd03e9fd17b60b8b7324d0ccd436a10f7556baf0
100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1175,27 +1175,61 @@ def wait_for_open_socket(socket_name, timeout=0):
else:
raise e
-def kinit_hostprincipal(keytab, ccachedir, principal):
+
+def kinit_keytab(keytab, ccache_path, principal, attempts=1):
-Given a ccache directory and a principal kinit as that user.
+Given a ccache_path , keytab file and a principal kinit as that user.
+
+The optional parameter 'attempts' specifies how many times the credential
+initialization should be attempted before giving up and raising
+StandardError.
This blindly overwrites the current CCNAME so if you need to save
it do so before calling this function.
+This function is also not thread-safe since it modifies environment
+variables.
+
Thus far this is used to kinit as the local host.
This note can be deleted because it is used elsewhere too.
-try:
-ccache_file = 'FILE:%s/ccache' % ccachedir
-krbcontext = krbV.default_context()
-ktab = krbV.Keytab(name=keytab, context=krbcontext)
-princ = krbV.Principal(name=principal, context=krbcontext)
-os.environ['KRB5CCNAME'] = ccache_file
-ccache = krbV.CCache(name=ccache_file, context=krbcontext,
primary_principal=princ)
-ccache.init(princ)
-ccache.init_creds_keytab(keytab=ktab, principal=princ)
-return ccache_file
-except krbV.Krb5Error, e:
-raise StandardError('Error initializing principal %s in %s: %s' %
(principal, keytab, str(e)))
+root_logger.debug(Initializing principal %s using keytab %s
+ % (principal, keytab))
I'm sorry for nitpicking but it would be nice to log ccache_file too. Krb5
libs return quite weird errors when CC cache is not accessible so it helps to
have the path at hand.
Attaching updated patches.
--
Martin^3 Babinsky
From 5888e5924c8b6aac30a8a893b9d0045545773ceb Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Mon, 16 Mar 2015 16:28:54 +0100
Subject: [PATCH 1/3] ipautil: new functions kinit_keytab and kinit_password
kinit_keytab replaces kinit_hostprincipal and performs Kerberos auth using
keytab file. Function is also able to repeat authentication multiple times
before giving up and raising Krb5Error.
kinit_password wraps kinit auth using password and also supports FAST
authentication using httpd armor ccache.
---
ipapython/ipautil.py | 62 +++-
1 file changed, 47 insertions(+), 15 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 6a06a8e956552597dfd48128b60a1dd6a4cc92f6..212f39d7e77eaa1c9655e06b2758e173e0bd9a42 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1185,27 +1185,59 @@ def wait_for_open_socket(socket_name, timeout=0):
else:
raise e
-def kinit_hostprincipal(keytab, ccachedir, principal):
+
+def kinit_keytab(keytab, ccache_path, principal, attempts=1):
-Given a ccache directory and a principal kinit as that user.
+Given a ccache_path , keytab file and a principal kinit as that user.
+
+The optional parameter 'attempts' specifies how many times the credential
+initialization should be attempted before giving up and raising Krb5Error.
This blindly overwrites the current CCNAME so if you need to save
it do so before calling this function.
-Thus far this is used to kinit as the local host.
+This function is also not thread-safe since it modifies environment
+variables.
-try:
-ccache_file = 'FILE:%s/ccache' % ccachedir
-krbcontext = krbV.default_context()
-ktab = krbV.Keytab(name=keytab, context=krbcontext)
-princ = krbV.Principal(name=principal, context=krbcontext)
-os.environ['KRB5CCNAME'] = ccache_file
-ccache = krbV.CCache(name=ccache_file, context=krbcontext, primary_principal=princ)
-ccache.init(princ)
-ccache.init_creds_keytab(keytab=ktab, principal=princ)
-return ccache_file
-except krbV.Krb5Error, e:
-raise StandardError('Error initializing principal %s in %s: %s' % (principal, keytab, str(e)))
+root_logger.debug(Initializing principal %s using keytab %s
+ % (principal, keytab))
+root_logger.debug(using ccache path %s % ccache_path)
+for attempt in range(1, attempts +
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On Mon, 2015-03-16 at 13:30 +0100, Martin Babinsky wrote: On 03/16/2015 12:15 PM, Martin Kosek wrote: On 03/13/2015 05:37 PM, Martin Babinsky wrote: Attaching the next iteration of patches. I have tried my best to reword the ipa-client-install man page bit about the new option. Any suggestions to further improve it are welcome. I have also slightly modified the 'kinit_keytab' function so that in Kerberos errors are reported for each attempt and the text of the last error is retained when finally raising exception. The approach looks very good. I think that my only concern with this patch is this part: +ccache.init_creds_keytab(keytab=ktab, principal=princ) ... +except krbV.Krb5Error as e: +last_exc = str(e) +root_logger.debug(Attempt %d/%d: failed: %s + % (attempt, attempts, last_exc)) +time.sleep(1) + +root_logger.debug(Maximum number of attempts (%d) reached + % attempts) +raise StandardError(Error initializing principal %s: %s +% (principal, last_exc)) The problem here is that this function will raise the super-generic StandardError instead of the proper with all the context and information about the error that the caller can then process. I think that except krbV.Krb5Error as e: if attempt == max_attempts: log something raise would be better. Yes that seems reasonable. I'm just thinking whether we should re-raise Krb5Error or raise ipalib.errors.KerberosError? the latter options makes more sense to me as we would not have to additionally import Krb5Error everywhere and it would also make the resulting errors more consistent. I am thinking about someting like this: except krbV.Krb5Error as e: if attempt == attempts: # log that we have reaches maximum number of attempts raise KerberosError(minor=str(e)) What do you think? Are you retrying on any error ? Please do *not* do that, if you retry many times on an error that indicates the password is wrong you may end up locking an administrative account. If you want to retry you should do it only for very specific timeout errors. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On 03/13/2015 05:37 PM, Martin Babinsky wrote: Attaching the next iteration of patches. I have tried my best to reword the ipa-client-install man page bit about the new option. Any suggestions to further improve it are welcome. I have also slightly modified the 'kinit_keytab' function so that in Kerberos errors are reported for each attempt and the text of the last error is retained when finally raising exception. The approach looks very good. I think that my only concern with this patch is this part: +ccache.init_creds_keytab(keytab=ktab, principal=princ) ... +except krbV.Krb5Error as e: +last_exc = str(e) +root_logger.debug(Attempt %d/%d: failed: %s + % (attempt, attempts, last_exc)) +time.sleep(1) + +root_logger.debug(Maximum number of attempts (%d) reached + % attempts) +raise StandardError(Error initializing principal %s: %s +% (principal, last_exc)) The problem here is that this function will raise the super-generic StandardError instead of the proper with all the context and information about the error that the caller can then process. I think that except krbV.Krb5Error as e: if attempt == max_attempts: log something raise would be better. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On 03/16/2015 12:15 PM, Martin Kosek wrote: On 03/13/2015 05:37 PM, Martin Babinsky wrote: Attaching the next iteration of patches. I have tried my best to reword the ipa-client-install man page bit about the new option. Any suggestions to further improve it are welcome. I have also slightly modified the 'kinit_keytab' function so that in Kerberos errors are reported for each attempt and the text of the last error is retained when finally raising exception. The approach looks very good. I think that my only concern with this patch is this part: +ccache.init_creds_keytab(keytab=ktab, principal=princ) ... +except krbV.Krb5Error as e: +last_exc = str(e) +root_logger.debug(Attempt %d/%d: failed: %s + % (attempt, attempts, last_exc)) +time.sleep(1) + +root_logger.debug(Maximum number of attempts (%d) reached + % attempts) +raise StandardError(Error initializing principal %s: %s +% (principal, last_exc)) The problem here is that this function will raise the super-generic StandardError instead of the proper with all the context and information about the error that the caller can then process. I think that except krbV.Krb5Error as e: if attempt == max_attempts: log something raise would be better. Yes that seems reasonable. I'm just thinking whether we should re-raise Krb5Error or raise ipalib.errors.KerberosError? the latter options makes more sense to me as we would not have to additionally import Krb5Error everywhere and it would also make the resulting errors more consistent. I am thinking about someting like this: except krbV.Krb5Error as e: if attempt == attempts: # log that we have reaches maximum number of attempts raise KerberosError(minor=str(e)) What do you think? -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
Dne 16.3.2015 v 13:30 Martin Babinsky napsal(a): On 03/16/2015 12:15 PM, Martin Kosek wrote: On 03/13/2015 05:37 PM, Martin Babinsky wrote: Attaching the next iteration of patches. I have tried my best to reword the ipa-client-install man page bit about the new option. Any suggestions to further improve it are welcome. I have also slightly modified the 'kinit_keytab' function so that in Kerberos errors are reported for each attempt and the text of the last error is retained when finally raising exception. The approach looks very good. I think that my only concern with this patch is this part: +ccache.init_creds_keytab(keytab=ktab, principal=princ) ... +except krbV.Krb5Error as e: +last_exc = str(e) +root_logger.debug(Attempt %d/%d: failed: %s + % (attempt, attempts, last_exc)) +time.sleep(1) + +root_logger.debug(Maximum number of attempts (%d) reached + % attempts) +raise StandardError(Error initializing principal %s: %s +% (principal, last_exc)) The problem here is that this function will raise the super-generic StandardError instead of the proper with all the context and information about the error that the caller can then process. I think that except krbV.Krb5Error as e: if attempt == max_attempts: log something raise would be better. Yes that seems reasonable. I'm just thinking whether we should re-raise Krb5Error or raise ipalib.errors.KerberosError? the latter options makes more sense to me as we would not have to additionally import Krb5Error everywhere and it would also make the resulting errors more consistent. I am thinking about someting like this: except krbV.Krb5Error as e: if attempt == attempts: # log that we have reaches maximum number of attempts raise KerberosError(minor=str(e)) What do you think? NACK, don't use ipalib from ipapython in new code, we are trying to get rid of this circular dependency. Krb5Error is OK in this case. -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On 03/11/2015 12:42 PM, Petr Spacek wrote:
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index
d6bc955b9d9910a24eec5df1def579310eb54786..36f16908ac8477d9982bfee613b77576853054eb
100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -958,8 +958,8 @@ class login_password(Backend, KerberosSession, HTTP_Status):
def kinit(self, user, realm, password, ccache_name):
# get http service ccache as an armor for FAST to enable OTP
authentication
-armor_principal = krb5_format_service_principal_name(
-'HTTP', self.api.env.host, realm)
+armor_principal = str(krb5_format_service_principal_name(
+'HTTP', self.api.env.host, realm))
keytab = paths.IPA_KEYTAB
armor_name = %sA_%s % (krbccache_prefix, user)
armor_path = os.path.join(krbccache_dir, armor_name)
@@ -967,34 +967,33 @@ class login_password(Backend, KerberosSession,
HTTP_Status):
self.debug('Obtaining armor ccache: principal=%s keytab=%s ccache=%s',
armor_principal, keytab, armor_path)
-(stdout, stderr, returncode) = ipautil.run(
-[paths.KINIT, '-kt', keytab, armor_principal],
-env={'KRB5CCNAME': armor_path}, raiseonerr=False)
-
-if returncode != 0:
-raise CCacheError()
+try:
+ipautil.kinit_keytab(paths.IPA_KEYTAB, armor_path,
+ armor_principal)
+except StandardError, e:
+raise CCacheError(str(e))
# Format the user as a kerberos principal
principal = krb5_format_principal_name(user, realm)
-(stdout, stderr, returncode) = ipautil.run(
-[paths.KINIT, principal, '-T', armor_path],
-env={'KRB5CCNAME': ccache_name, 'LC_ALL': 'C'},
-stdin=password, raiseonerr=False)
+try:
+ipautil.kinit_password(principal, password,
+ env={'KRB5CCNAME': ccache_name,
+'LC_ALL': 'C'},
+ armor_ccache=armor_path)
-self.debug('kinit: principal=%s returncode=%s, stderr=%s',
- principal, returncode, stderr)
-
-self.debug('Cleanup the armor ccache')
-ipautil.run(
-[paths.KDESTROY, '-A', '-c', armor_path],
-env={'KRB5CCNAME': armor_path},
-raiseonerr=False)
-
-if returncode != 0:
-if stderr.strip() == 'kinit: Cannot read password while getting
initial credentials':
-raise PasswordExpired(principal=principal,
message=unicode(stderr))
-raise InvalidSessionPassword(principal=principal,
message=unicode(stderr))
+self.debug('Cleanup the armor ccache')
+ipautil.run(
+[paths.KDESTROY, '-A', '-c', armor_path],
+env={'KRB5CCNAME': armor_path},
+raiseonerr=False)
+except ipautil.CalledProcessError, e:
+if ('kinit: Cannot read password while '
+'getting initial credentials') in e.output:
I know it is not your code but please make sure it will work with non-English
LANG or LC_MESSAGE.
I have done some research about the way the environmental variables line
LC_MESSAGE, LC_ALL, etc. work,
(https://www.gnu.org/software/gettext/manual/gettext.html#Locale-Names
and the following section).
It turns out that the CalledProcessError handling code will work also in
non-english environment, because in the following code snippet, kinit is
actually run using LC_ALL=C environment variable effectively disabling
any localization and forcing the program to print out default (i.e.
english) error messages.
+try:
+ipautil.kinit_password(principal, password,
+ env={'KRB5CCNAME': ccache_name,
+'LC_ALL': 'C'},
+ armor_ccache=armor_path)
Thus when handling the exception, we may be sure that any error message
returned by above is in default locale. This greatly simplifies the
logic deciding what exception to raise further based on the error message.
+except ipautil.CalledProcessError, e:
+if ('kinit: Cannot read password while '
+'getting initial credentials') in e.output:
A very clever move by Nathaniel (according to git blame) to circumvent
the locale-specific behavior when it's actualy not needed.
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On Wed, 2015-03-11 at 12:42 +0100, Petr Spacek wrote: I would like to see new code compatible with Python 3. Here I'm not sure what is the generic solution for xrange but in this particular case I would recommend you to use just range. Attempts variable should have small values so the x/range differences do not matter here. To be honest, I do not think we should care for this code specifically. The move to Python3 will require python-krbV code to be completely removed, and we should use python-gssapi instead. I will help with the how do I kinit part once we can do that. Now, I do not know if it is worth NACKing this patch in that sense, or letting it through, it depends on whether we want to be able to backport this specific fix or whether it is ok to have it only available on python-gssapi capable machines. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
Attaching the next iteration of patches.
I have tried my best to reword the ipa-client-install man page bit about
the new option. Any suggestions to further improve it are welcome.
I have also slightly modified the 'kinit_keytab' function so that in
Kerberos errors are reported for each attempt and the text of the last
error is retained when finally raising exception.
--
Martin^3 Babinsky
From b6e0b91e27f041eedca4995e2ee09311d48e7168 Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Fri, 13 Mar 2015 16:38:02 +0100
Subject: [PATCH 1/3] ipautil: new functions kinit_keytab and kinit_password
kinit_keytab replaces kinit_hostprincipal and performs Kerberos auth using
keytab file. Function is also able to repeat authentication multiple times
before giving up and raising StandardError.
kinit_password wraps kinit auth using password and also supports FAST
authentication using httpd armor ccache.
---
ipapython/ipautil.py | 65 +---
1 file changed, 51 insertions(+), 14 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 4116d974e620341119b56fad3cff1bda48af3bab..7f2ca6f341907642e7acab87c89d7d46214a5646 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1175,27 +1175,64 @@ def wait_for_open_socket(socket_name, timeout=0):
else:
raise e
-def kinit_hostprincipal(keytab, ccachedir, principal):
+
+def kinit_keytab(keytab, ccache_path, principal, attempts=1):
-Given a ccache directory and a principal kinit as that user.
+Given a ccache_path , keytab file and a principal kinit as that user.
+
+The optional parameter 'attempts' specifies how many times the credential
+initialization should be attempted before giving up and raising
+StandardError.
This blindly overwrites the current CCNAME so if you need to save
it do so before calling this function.
+This function is also not thread-safe since it modifies environment
+variables.
+
Thus far this is used to kinit as the local host.
-try:
-ccache_file = 'FILE:%s/ccache' % ccachedir
-krbcontext = krbV.default_context()
-ktab = krbV.Keytab(name=keytab, context=krbcontext)
-princ = krbV.Principal(name=principal, context=krbcontext)
-os.environ['KRB5CCNAME'] = ccache_file
-ccache = krbV.CCache(name=ccache_file, context=krbcontext, primary_principal=princ)
-ccache.init(princ)
-ccache.init_creds_keytab(keytab=ktab, principal=princ)
-return ccache_file
-except krbV.Krb5Error, e:
-raise StandardError('Error initializing principal %s in %s: %s' % (principal, keytab, str(e)))
+root_logger.debug(Initializing principal %s using keytab %s
+ % (principal, keytab))
+last_exc =
+for attempt in range(1, attempts + 1):
+try:
+krbcontext = krbV.default_context()
+ktab = krbV.Keytab(name=keytab, context=krbcontext)
+princ = krbV.Principal(name=principal, context=krbcontext)
+os.environ['KRB5CCNAME'] = ccache_path
+ccache = krbV.CCache(name=ccache_path, context=krbcontext,
+ primary_principal=princ)
+ccache.init(princ)
+ccache.init_creds_keytab(keytab=ktab, principal=princ)
+root_logger.debug(Attempt %d/%d: success
+ % (attempt, attempts))
+return
+except krbV.Krb5Error as e:
+last_exc = str(e)
+root_logger.debug(Attempt %d/%d: failed: %s
+ % (attempt, attempts, last_exc))
+time.sleep(1)
+
+root_logger.debug(Maximum number of attempts (%d) reached
+ % attempts)
+raise StandardError(Error initializing principal %s: %s
+% (principal, last_exc))
+
+
+def kinit_password(principal, password, env={}, armor_ccache=):
+perform interactive kinit as principal using password. Additional
+enviroment variables can be specified using env. If using FAST for
+web-based authentication, use armor_ccache to specify http service ccache.
+
+root_logger.debug(Initializing principal %s using password % principal)
+args = [paths.KINIT, principal]
+if armor_ccache:
+root_logger.debug(Using armor ccache %s for FAST webauth
+ % armor_ccache)
+args.extend(['-T', armor_ccache])
+run(args, env=env, stdin=password)
+
def dn_attribute_property(private_name):
'''
--
2.1.0
From 74fd74fdeeb746e4d6bebdc459d4401a63279b78 Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Fri, 13 Mar 2015 16:39:05 +0100
Subject: [PATCH 2/3] ipa-client-install: try to get host TGT several times
before giving up
New option '--kinit-attempts' enables the host to make multiple attempts to
obtain TGT from KDC before giving up
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
Actually, now that I think about it, I will try to address some of your
comments:
On 03/11/2015 12:42 PM, Petr Spacek wrote:
Hello Martin^3,
good work, we are almost there! Please see my nitpicks in-line.
On 9.3.2015 13:06, Martin Babinsky wrote:
On 03/06/2015 01:05 PM, Martin Babinsky wrote:
This series of patches for the master/4.1 branch attempts to implement
some of the Rob's and Petr Vobornik's ideas which originated from a
discussion on this list regarding my original patch fixing
https://fedorahosted.org/freeipa/ticket/4808.
I suppose that these patches are just a first iteration, we may further
discuss if this is the right thing to do.
Below is a quote from the original discussion just to get the context:
The next iteration of patches is attached below. Thanks to jcholast and
pvoborni for the comments and insights.
--
Martin^3 Babinsky
freeipa-mbabinsk-0015-2-ipautil-new-functions-kinit_keytab-and-kinit_passwor.patch
From 97e4eed332391bab7a12dc593152e369f347fd3c Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Mon, 9 Mar 2015 12:53:10 +0100
Subject: [PATCH 1/3] ipautil: new functions kinit_keytab and kinit_password
kinit_keytab replaces kinit_hostprincipal and performs Kerberos auth using
keytab file. Function is also able to repeat authentication multiple times
before giving up and raising StandardError.
kinit_password wraps kinit auth using password and also supports FAST
authentication using httpd armor ccache.
---
ipapython/ipautil.py | 60
1 file changed, 46 insertions(+), 14 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index
4116d974e620341119b56fad3cff1bda48af3bab..4547165ccf24ff6edf5c65e756aa321aa34b9e61
100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1175,27 +1175,59 @@ def wait_for_open_socket(socket_name, timeout=0):
else:
raise e
-def kinit_hostprincipal(keytab, ccachedir, principal):
+
+def kinit_keytab(keytab, ccache_path, principal, attempts=1):
-Given a ccache directory and a principal kinit as that user.
+Given a ccache_path , keytab file and a principal kinit as that user.
+
+The optional parameter 'attempts' specifies how many times the credential
+initialization should be attempted before giving up and raising
+StandardError.
This blindly overwrites the current CCNAME so if you need to save
it do so before calling this function.
Thus far this is used to kinit as the local host.
-try:
-ccache_file = 'FILE:%s/ccache' % ccachedir
-krbcontext = krbV.default_context()
-ktab = krbV.Keytab(name=keytab, context=krbcontext)
-princ = krbV.Principal(name=principal, context=krbcontext)
-os.environ['KRB5CCNAME'] = ccache_file
-ccache = krbV.CCache(name=ccache_file, context=krbcontext,
primary_principal=princ)
-ccache.init(princ)
-ccache.init_creds_keytab(keytab=ktab, principal=princ)
-return ccache_file
-except krbV.Krb5Error, e:
-raise StandardError('Error initializing principal %s in %s: %s' %
(principal, keytab, str(e)))
+root_logger.debug(Initializing principal %s using keytab %s
+ % (principal, keytab))
+for attempt in xrange(attempts):
I would like to see new code compatible with Python 3. Here I'm not sure what
is the generic solution for xrange but in this particular case I would
recommend you to use just range. Attempts variable should have small values so
the x/range differences do not matter here.
+try:
+krbcontext = krbV.default_context()
+ktab = krbV.Keytab(name=keytab, context=krbcontext)
+princ = krbV.Principal(name=principal, context=krbcontext)
+os.environ['KRB5CCNAME'] = ccache_path
This is a bit scary, especially when it comes to multi-threaded execution. If
it is really necessary please add comment that this method is not thread-safe.
So far this function is used in various installers/uninstallers/restart
scripts, so I'm not quite sure if there is even some multithreaded
thingy going on there (I have never done multithreaded programming so I
don't know, someone with more experience can comment on this). I will,
however, add the warning to the docstring.
+ccache = krbV.CCache(name=ccache_path, context=krbcontext,
+ primary_principal=princ)
+ccache.init(princ)
+ccache.init_creds_keytab(keytab=ktab, principal=princ)
+root_logger.debug(Attempt %d/%d: success
+ % (attempt + 1, attempts))
What about adding + 1 to range boundaries instead of + 1 here and there?
+return
+except krbV.Krb5Error, e:
except ... , ... syntax is not going to work in Python 3. Maybe 'as' would be
better?
AFAIK except ... as ... syntax was added in Python 2.6.
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On 03/11/2015 12:42 PM, Petr Spacek wrote:
Hello Martin^3,
good work, we are almost there! Please see my nitpicks in-line.
On 9.3.2015 13:06, Martin Babinsky wrote:
On 03/06/2015 01:05 PM, Martin Babinsky wrote:
This series of patches for the master/4.1 branch attempts to implement
some of the Rob's and Petr Vobornik's ideas which originated from a
discussion on this list regarding my original patch fixing
https://fedorahosted.org/freeipa/ticket/4808.
I suppose that these patches are just a first iteration, we may further
discuss if this is the right thing to do.
Below is a quote from the original discussion just to get the context:
The next iteration of patches is attached below. Thanks to jcholast and
pvoborni for the comments and insights.
--
Martin^3 Babinsky
freeipa-mbabinsk-0015-2-ipautil-new-functions-kinit_keytab-and-kinit_passwor.patch
From 97e4eed332391bab7a12dc593152e369f347fd3c Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Mon, 9 Mar 2015 12:53:10 +0100
Subject: [PATCH 1/3] ipautil: new functions kinit_keytab and kinit_password
kinit_keytab replaces kinit_hostprincipal and performs Kerberos auth using
keytab file. Function is also able to repeat authentication multiple times
before giving up and raising StandardError.
kinit_password wraps kinit auth using password and also supports FAST
authentication using httpd armor ccache.
---
ipapython/ipautil.py | 60
1 file changed, 46 insertions(+), 14 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index
4116d974e620341119b56fad3cff1bda48af3bab..4547165ccf24ff6edf5c65e756aa321aa34b9e61
100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1175,27 +1175,59 @@ def wait_for_open_socket(socket_name, timeout=0):
else:
raise e
-def kinit_hostprincipal(keytab, ccachedir, principal):
+
+def kinit_keytab(keytab, ccache_path, principal, attempts=1):
-Given a ccache directory and a principal kinit as that user.
+Given a ccache_path , keytab file and a principal kinit as that user.
+
+The optional parameter 'attempts' specifies how many times the credential
+initialization should be attempted before giving up and raising
+StandardError.
This blindly overwrites the current CCNAME so if you need to save
it do so before calling this function.
Thus far this is used to kinit as the local host.
-try:
-ccache_file = 'FILE:%s/ccache' % ccachedir
-krbcontext = krbV.default_context()
-ktab = krbV.Keytab(name=keytab, context=krbcontext)
-princ = krbV.Principal(name=principal, context=krbcontext)
-os.environ['KRB5CCNAME'] = ccache_file
-ccache = krbV.CCache(name=ccache_file, context=krbcontext,
primary_principal=princ)
-ccache.init(princ)
-ccache.init_creds_keytab(keytab=ktab, principal=princ)
-return ccache_file
-except krbV.Krb5Error, e:
-raise StandardError('Error initializing principal %s in %s: %s' %
(principal, keytab, str(e)))
+root_logger.debug(Initializing principal %s using keytab %s
+ % (principal, keytab))
+for attempt in xrange(attempts):
I would like to see new code compatible with Python 3. Here I'm not sure what
is the generic solution for xrange but in this particular case I would
recommend you to use just range. Attempts variable should have small values so
the x/range differences do not matter here.
+try:
+krbcontext = krbV.default_context()
+ktab = krbV.Keytab(name=keytab, context=krbcontext)
+princ = krbV.Principal(name=principal, context=krbcontext)
+os.environ['KRB5CCNAME'] = ccache_path
This is a bit scary, especially when it comes to multi-threaded execution. If
it is really necessary please add comment that this method is not thread-safe.
+ccache = krbV.CCache(name=ccache_path, context=krbcontext,
+ primary_principal=princ)
+ccache.init(princ)
+ccache.init_creds_keytab(keytab=ktab, principal=princ)
+root_logger.debug(Attempt %d/%d: success
+ % (attempt + 1, attempts))
What about adding + 1 to range boundaries instead of + 1 here and there?
+return
+except krbV.Krb5Error, e:
except ... , ... syntax is not going to work in Python 3. Maybe 'as' would be
better?
+root_logger.debug(Attempt %d/%d: failed
+ % (attempt + 1, attempts))
+time.sleep(1)
+
+root_logger.debug(Maximum number of attempts (%d) reached
+ % attempts)
+raise StandardError(Error initializing principal %s: %s
+% (principal, str(e)))
+
+
+def kinit_password(principal, password, env={}, armor_ccache=):
+perform interactive kinit as principal using
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
Hello Martin^3,
good work, we are almost there! Please see my nitpicks in-line.
On 9.3.2015 13:06, Martin Babinsky wrote:
On 03/06/2015 01:05 PM, Martin Babinsky wrote:
This series of patches for the master/4.1 branch attempts to implement
some of the Rob's and Petr Vobornik's ideas which originated from a
discussion on this list regarding my original patch fixing
https://fedorahosted.org/freeipa/ticket/4808.
I suppose that these patches are just a first iteration, we may further
discuss if this is the right thing to do.
Below is a quote from the original discussion just to get the context:
The next iteration of patches is attached below. Thanks to jcholast and
pvoborni for the comments and insights.
--
Martin^3 Babinsky
freeipa-mbabinsk-0015-2-ipautil-new-functions-kinit_keytab-and-kinit_passwor.patch
From 97e4eed332391bab7a12dc593152e369f347fd3c Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Mon, 9 Mar 2015 12:53:10 +0100
Subject: [PATCH 1/3] ipautil: new functions kinit_keytab and kinit_password
kinit_keytab replaces kinit_hostprincipal and performs Kerberos auth using
keytab file. Function is also able to repeat authentication multiple times
before giving up and raising StandardError.
kinit_password wraps kinit auth using password and also supports FAST
authentication using httpd armor ccache.
---
ipapython/ipautil.py | 60
1 file changed, 46 insertions(+), 14 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index
4116d974e620341119b56fad3cff1bda48af3bab..4547165ccf24ff6edf5c65e756aa321aa34b9e61
100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1175,27 +1175,59 @@ def wait_for_open_socket(socket_name, timeout=0):
else:
raise e
-def kinit_hostprincipal(keytab, ccachedir, principal):
+
+def kinit_keytab(keytab, ccache_path, principal, attempts=1):
-Given a ccache directory and a principal kinit as that user.
+Given a ccache_path , keytab file and a principal kinit as that user.
+
+The optional parameter 'attempts' specifies how many times the credential
+initialization should be attempted before giving up and raising
+StandardError.
This blindly overwrites the current CCNAME so if you need to save
it do so before calling this function.
Thus far this is used to kinit as the local host.
-try:
-ccache_file = 'FILE:%s/ccache' % ccachedir
-krbcontext = krbV.default_context()
-ktab = krbV.Keytab(name=keytab, context=krbcontext)
-princ = krbV.Principal(name=principal, context=krbcontext)
-os.environ['KRB5CCNAME'] = ccache_file
-ccache = krbV.CCache(name=ccache_file, context=krbcontext,
primary_principal=princ)
-ccache.init(princ)
-ccache.init_creds_keytab(keytab=ktab, principal=princ)
-return ccache_file
-except krbV.Krb5Error, e:
-raise StandardError('Error initializing principal %s in %s: %s' %
(principal, keytab, str(e)))
+root_logger.debug(Initializing principal %s using keytab %s
+ % (principal, keytab))
+for attempt in xrange(attempts):
I would like to see new code compatible with Python 3. Here I'm not sure what
is the generic solution for xrange but in this particular case I would
recommend you to use just range. Attempts variable should have small values so
the x/range differences do not matter here.
+try:
+krbcontext = krbV.default_context()
+ktab = krbV.Keytab(name=keytab, context=krbcontext)
+princ = krbV.Principal(name=principal, context=krbcontext)
+os.environ['KRB5CCNAME'] = ccache_path
This is a bit scary, especially when it comes to multi-threaded execution. If
it is really necessary please add comment that this method is not thread-safe.
+ccache = krbV.CCache(name=ccache_path, context=krbcontext,
+ primary_principal=princ)
+ccache.init(princ)
+ccache.init_creds_keytab(keytab=ktab, principal=princ)
+root_logger.debug(Attempt %d/%d: success
+ % (attempt + 1, attempts))
What about adding + 1 to range boundaries instead of + 1 here and there?
+return
+except krbV.Krb5Error, e:
except ... , ... syntax is not going to work in Python 3. Maybe 'as' would be
better?
+root_logger.debug(Attempt %d/%d: failed
+ % (attempt + 1, attempts))
+time.sleep(1)
+
+root_logger.debug(Maximum number of attempts (%d) reached
+ % attempts)
+raise StandardError(Error initializing principal %s: %s
+% (principal, str(e)))
+
+
+def kinit_password(principal, password, env={}, armor_ccache=):
+
Re: [Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On 11.3.2015 14:27, Martin Babinsky wrote:
Actually, now that I think about it, I will try to address some of your
comments:
+except krbV.Krb5Error, e:
except ... , ... syntax is not going to work in Python 3. Maybe 'as' would be
better?
AFAIK except ... as ... syntax was added in Python 2.6. Using this syntax can
break older versions of Python. If this is not a concern for us, I will fix
this and use this syntax also in my later patches.
Please see http://www.freeipa.org/page/Python_Coding_Style :-) Python 2.7 is
required anyway.
diff --git a/ipa-client/ipa-install/ipa-client-install
b/ipa-client/ipa-install/ipa-client-install
index
ccaab5536e83b4b6ac60b81132c3455c0af19ae1..c817f9e86dbaa6a2cca7d1a463f53d491fa7badb
100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -91,6 +91,13 @@ def parse_options():
parser.values.ca_cert_file = value
+def validate_kinit_attempts_option(option, opt, value, parser):
+if value 1 or value sys.maxint:
+raise OptionValueError(
+%s option has invalid value %d % (opt, value))
It would be nice if the error message said what is the expected value.
(Expected integer in range 1,%s % sys.maxint)
BTW is it possible to do this using existing option parser? I would expect
some generic support for type=uint or something similar.
OptionParser supports 'type' keywords when adding options, which perform the
neccessary conversions (int(), etc) and validation (see
https://docs.python.org/2/library/optparse.html#optparse-standard-option-types).
However, in this case you still have to manually check for values less that 1
which do not make sense. AFAIK OptionParser has no built-in way to do this.
Okay then.
+
+parser.values.kinit_attempts = value
+
parser = IPAOptionParser(version=version.VERSION)
basic_group = OptionGroup(parser, basic options)
@@ -144,6 +151,11 @@ def parse_options():
help=do not modify the nsswitch.conf and PAM
configuration)
basic_group.add_option(-f, --force, dest=force,
action=store_true,
default=False, help=force setting of LDAP/Kerberos
conf)
+basic_group.add_option('--kinit-attempts', dest='kinit_attempts',
+ action='callback', type='int', default=5,
It would be good to check lockout numbers in default configuration to make
sure that replication delay will not lock the principal.
I'm not sure that I follow, could you be more specific what you mean by this?
KDC and DS will lock account after n failed attempts. See $ ipa pwpolicy-find
to find out the number in your installation (keytab == password).
freeipa-mbabinsk-0017-2-Adopted-kinit_keytab-and-kinit_password-for-kerberos.patch
From 912113529138e5b1bd8357ae6a17376cb5d32759 Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Mon, 9 Mar 2015 12:54:36 +0100
Subject: [PATCH 3/3] Adopted kinit_keytab and kinit_password for kerberos
auth
---
daemons/dnssec/ipa-dnskeysync-replica | 6 ++-
daemons/dnssec/ipa-dnskeysyncd | 2 +-
daemons/dnssec/ipa-ods-exporter| 5 ++-
.../certmonger/dogtag-ipa-ca-renew-agent-submit| 3 +-
install/restart_scripts/renew_ca_cert | 7 ++--
install/restart_scripts/renew_ra_cert | 4 +-
ipa-client/ipa-install/ipa-client-automount| 9 ++--
ipa-client/ipaclient/ipa_certupdate.py | 3 +-
ipaserver/rpcserver.py | 49
+++---
9 files changed, 47 insertions(+), 41 deletions(-)
diff --git a/daemons/dnssec/ipa-dnskeysync-replica
b/daemons/dnssec/ipa-dnskeysync-replica
index
d04f360e04ee018dcdd1ba9b2ca42b1844617af9..e9cae519202203a10678b7384e5acf748f256427
100755
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@@ -139,14 +139,16 @@ log.setLevel(level=logging.DEBUG)
# Kerberos initialization
PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host))
log.debug('Kerberos principal: %s', PRINCIPAL)
-ipautil.kinit_hostprincipal(paths.IPA_DNSKEYSYNCD_KEYTAB, WORKDIR,
PRINCIPAL)
+ccache_filename = os.path.join(WORKDIR, 'ccache')
BTW I really appreciate this patch set! We finally can use more descriptive
names like 'ipa-dnskeysync-replica.ccache' which sometimes make debugging
easier.
Named ccaches seems to be a good idea. I will fix this in all places where the
ccache is somehow persistent (and not deleted after installation).
Thank you!
diff --git a/ipa-client/ipa-install/ipa-client-automount
b/ipa-client/ipa-install/ipa-client-automount
index
7b9e701dead5f50a033a455eb62e30df78cc0249..19197d34ca580062742b3d7363e5dfb2dad0e4de
100755
--- a/ipa-client/ipa-install/ipa-client-automount
+++ b/ipa-client/ipa-install/ipa-client-automount
@@ -425,10 +425,11 @@
[Freeipa-devel] [PATCHES 0015-0017] consolidation of various Kerberos auth methods in FreeIPA code
On 03/06/2015 01:05 PM, Martin Babinsky wrote:
This series of patches for the master/4.1 branch attempts to implement
some of the Rob's and Petr Vobornik's ideas which originated from a
discussion on this list regarding my original patch fixing
https://fedorahosted.org/freeipa/ticket/4808.
I suppose that these patches are just a first iteration, we may further
discuss if this is the right thing to do.
Below is a quote from the original discussion just to get the context:
The next iteration of patches is attached below. Thanks to jcholast and
pvoborni for the comments and insights.
--
Martin^3 Babinsky
From 97e4eed332391bab7a12dc593152e369f347fd3c Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Mon, 9 Mar 2015 12:53:10 +0100
Subject: [PATCH 1/3] ipautil: new functions kinit_keytab and kinit_password
kinit_keytab replaces kinit_hostprincipal and performs Kerberos auth using
keytab file. Function is also able to repeat authentication multiple times
before giving up and raising StandardError.
kinit_password wraps kinit auth using password and also supports FAST
authentication using httpd armor ccache.
---
ipapython/ipautil.py | 60
1 file changed, 46 insertions(+), 14 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 4116d974e620341119b56fad3cff1bda48af3bab..4547165ccf24ff6edf5c65e756aa321aa34b9e61 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -1175,27 +1175,59 @@ def wait_for_open_socket(socket_name, timeout=0):
else:
raise e
-def kinit_hostprincipal(keytab, ccachedir, principal):
+
+def kinit_keytab(keytab, ccache_path, principal, attempts=1):
-Given a ccache directory and a principal kinit as that user.
+Given a ccache_path , keytab file and a principal kinit as that user.
+
+The optional parameter 'attempts' specifies how many times the credential
+initialization should be attempted before giving up and raising
+StandardError.
This blindly overwrites the current CCNAME so if you need to save
it do so before calling this function.
Thus far this is used to kinit as the local host.
-try:
-ccache_file = 'FILE:%s/ccache' % ccachedir
-krbcontext = krbV.default_context()
-ktab = krbV.Keytab(name=keytab, context=krbcontext)
-princ = krbV.Principal(name=principal, context=krbcontext)
-os.environ['KRB5CCNAME'] = ccache_file
-ccache = krbV.CCache(name=ccache_file, context=krbcontext, primary_principal=princ)
-ccache.init(princ)
-ccache.init_creds_keytab(keytab=ktab, principal=princ)
-return ccache_file
-except krbV.Krb5Error, e:
-raise StandardError('Error initializing principal %s in %s: %s' % (principal, keytab, str(e)))
+root_logger.debug(Initializing principal %s using keytab %s
+ % (principal, keytab))
+for attempt in xrange(attempts):
+try:
+krbcontext = krbV.default_context()
+ktab = krbV.Keytab(name=keytab, context=krbcontext)
+princ = krbV.Principal(name=principal, context=krbcontext)
+os.environ['KRB5CCNAME'] = ccache_path
+ccache = krbV.CCache(name=ccache_path, context=krbcontext,
+ primary_principal=princ)
+ccache.init(princ)
+ccache.init_creds_keytab(keytab=ktab, principal=princ)
+root_logger.debug(Attempt %d/%d: success
+ % (attempt + 1, attempts))
+return
+except krbV.Krb5Error, e:
+root_logger.debug(Attempt %d/%d: failed
+ % (attempt + 1, attempts))
+time.sleep(1)
+
+root_logger.debug(Maximum number of attempts (%d) reached
+ % attempts)
+raise StandardError(Error initializing principal %s: %s
+% (principal, str(e)))
+
+
+def kinit_password(principal, password, env={}, armor_ccache=):
+perform interactive kinit as principal using password. Additional
+enviroment variables can be specified using env. If using FAST for
+web-based authentication, use armor_ccache to specify http service ccache.
+
+root_logger.debug(Initializing principal %s using password % principal)
+args = [paths.KINIT, principal]
+if armor_ccache:
+root_logger.debug(Using armor ccache %s for FAST webauth
+ % armor_ccache)
+args.extend(['-T', armor_ccache])
+run(args, env=env, stdin=password)
+
def dn_attribute_property(private_name):
'''
--
2.1.0
From e438d8a0711b4271d24d7d24e98395503912a1c4 Mon Sep 17 00:00:00 2001
From: Martin Babinsky mbabi...@redhat.com
Date: Mon, 9 Mar 2015 12:53:57 +0100
Subject: [PATCH 2/3] ipa-client-install: try to get host TGT several times
before giving up
New option '--kinit-attempts' enables the host to
