On 24.8.2015 20:29, Robbie Harwood wrote:
Michael Šimáček <msima...@redhat.com> writes:

On 2015-08-24 17:49, Simo Sorce wrote:

On Mon, 2015-08-24 at 17:18 +0200, Michael Šimáček wrote:

On 2015-08-24 14:50, Jan Cholasta wrote:

On 23.8.2015 23:27, Michael Šimáček wrote:

3) ipa-adtrust-install fails with:

admin password:

Unrecognized error during check of admin rights:
ad...@abc.idm.lab.eng.brq.redhat.com: user not found

Apparently there is a "user-show ad...@abc.idm.lab.eng.brq.redhat.com"
call where a "user-show admin" call should be.

Fixed. python-gssapi has a display_as method that could pull the name
from it, but it doesn't work in current version, therefore using
partition to split on '@'

It's actually a bug in MIT Krb5, as we noted in your bug[0].  So this:

-        user = api.Command.user_show(unicode(principal[0]))['result']
+        user = api.Command.user_show(principal.partition('@')[0])['result']

is working around a bug in specific Kerberos versions.  If people are
okay with merging such code, then I guess this is fine; I would
personally not do so because there is not a clear point at which it can
be removed.  At the very least, we should wait until we see what
versions of krb5 MIT is going to fix.

The principal comes from krb_utils.get_principal(). Are you saying that after MIT Krb5 is fixed, this function will not return a principal anymore? If so, it needs to be fixed to use some different interface to return a principal even after MIT Krb5 is fixed, we don't want a function called get_principal to *not* return a principal.

Otherwise, looks good.

[0]: https://github.com/pythongssapi/python-gssapi/issues/79

Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to