Michael Simacek <msima...@redhat.com> writes:

> This is a first part of my effort to port FreeIPA from Python3-incompatible
> Kerberos libraries to python-gssapi. This patch should replace python-kerberos
> with python-gssapi (both use C GSSAPI behind the scenes).

Okay, Solly and I went through this again, and there might be a problem.

> @@ -548,14 +551,9 @@ class KerbTransport(SSLTransport):
>          service = "HTTP@" + host.split(':')[0]
>  
>          try:
> -            (rc, vc) = kerberos.authGSSClientInit(service=service,
> -                                                  gssflags=self.flags)
> -        except kerberos.GSSError, e:
> -            self._handle_exception(e)
> -
> -        try:
> -            kerberos.authGSSClientStep(vc, "")
> -        except kerberos.GSSError, e:
> +            name = gssapi.Name(service, gssapi.NameType.hostbased_service)
> +            response = gssapi.raw.init_sec_context(name, 
> flags=self.flags).token
> +        except gssapi.exceptions.GSSError as e:
>              self._handle_exception(e, service=service)
>  
>          for (h, v) in extra_headers:
> @@ -564,7 +562,7 @@ class KerbTransport(SSLTransport):
>                  break
>  
>          extra_headers.append(
> -            ('Authorization', 'negotiate %s' % 
> kerberos.authGSSClientResponse(vc))
> +            ('Authorization', 'negotiate %s' % base64.b64encode(response))
>          )

If you call init_sec_context, the token returned may be an error token,
and the error will be deferred until the next use of the context.  This
behavior can be turned off by setting __DEFER_STEP_ERRORS__ to false on
the class.

More information:
https://pythonhosted.org/gssapi/gssapi.html#gssapi.sec_contexts.SecurityContext.step

Attachment: signature.asc
Description: PGP signature

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to