Michael Šimáček <msima...@redhat.com> writes:

> On 2015-08-24 17:49, Simo Sorce wrote:
>> On Mon, 2015-08-24 at 17:18 +0200, Michael Šimáček wrote:
>>> On 2015-08-24 14:50, Jan Cholasta wrote:
>>>> On 23.8.2015 23:27, Michael Šimáček wrote:
>>>> 3) ipa-adtrust-install fails with:
>>>> admin password:
>>>> Unrecognized error during check of admin rights:
>>>> ad...@abc.idm.lab.eng.brq.redhat.com: user not found
>>>> Apparently there is a "user-show ad...@abc.idm.lab.eng.brq.redhat.com"
>>>> call where a "user-show admin" call should be.
>>> Fixed. python-gssapi has a display_as method that could pull the name
>>> from it, but it doesn't work in current version, therefore using
>>> partition to split on '@'

It's actually a bug in MIT Krb5, as we noted in your bug[0].  So this:

> -        user = api.Command.user_show(unicode(principal[0]))['result']
> +        user = api.Command.user_show(principal.partition('@')[0])['result']

is working around a bug in specific Kerberos versions.  If people are
okay with merging such code, then I guess this is fine; I would
personally not do so because there is not a clear point at which it can
be removed.  At the very least, we should wait until we see what
versions of krb5 MIT is going to fix.

Otherwise, looks good.

[0]: https://github.com/pythongssapi/python-gssapi/issues/79

Attachment: signature.asc
Description: PGP signature

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to