On 24.8.2015 20:29, Robbie Harwood wrote:
Michael Šimáček <msima...@redhat.com> writes:
On 2015-08-24 17:49, Simo Sorce wrote:
On Mon, 2015-08-24 at 17:18 +0200, Michael Šimáček wrote:
On 2015-08-24 14:50, Jan Cholasta wrote:
On 23.8.2015 23:27, Michael Šimáček wrote:
3) ipa-adtrust-install fails with:
Unrecognized error during check of admin rights:
ad...@abc.idm.lab.eng.brq.redhat.com: user not found
Apparently there is a "user-show ad...@abc.idm.lab.eng.brq.redhat.com"
call where a "user-show admin" call should be.
Fixed. python-gssapi has a display_as method that could pull the name
from it, but it doesn't work in current version, therefore using
partition to split on '@'
It's actually a bug in MIT Krb5, as we noted in your bug. So this:
- user = api.Command.user_show(unicode(principal))['result']
+ user = api.Command.user_show(principal.partition('@'))['result']
is working around a bug in specific Kerberos versions. If people are
okay with merging such code, then I guess this is fine; I would
personally not do so because there is not a clear point at which it can
be removed. At the very least, we should wait until we see what
versions of krb5 MIT is going to fix.
The principal comes from krb_utils.get_principal(). Are you saying that
after MIT Krb5 is fixed, this function will not return a principal
anymore? If so, it needs to be fixed to use some different interface to
return a principal even after MIT Krb5 is fixed, we don't want a
function called get_principal to *not* return a principal.
Otherwise, looks good.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code