On 25.8.2015 12:21, Michael Šimáček wrote:

On 2015-08-25 12:13, Jan Cholasta wrote:
On 24.8.2015 20:29, Robbie Harwood wrote:
Michael Šimáček <msima...@redhat.com> writes:

On 2015-08-24 17:49, Simo Sorce wrote:

On Mon, 2015-08-24 at 17:18 +0200, Michael Šimáček wrote:

On 2015-08-24 14:50, Jan Cholasta wrote:

On 23.8.2015 23:27, Michael Šimáček wrote:

3) ipa-adtrust-install fails with:

admin password:

Unrecognized error during check of admin rights:
ad...@abc.idm.lab.eng.brq.redhat.com: user not found

Apparently there is a "user-show
call where a "user-show admin" call should be.

Fixed. python-gssapi has a display_as method that could pull the name
from it, but it doesn't work in current version, therefore using
partition to split on '@'

It's actually a bug in MIT Krb5, as we noted in your bug[0].  So this:

-        user = api.Command.user_show(unicode(principal[0]))['result']
+        user =

is working around a bug in specific Kerberos versions.  If people are
okay with merging such code, then I guess this is fine; I would
personally not do so because there is not a clear point at which it can
be removed.  At the very least, we should wait until we see what
versions of krb5 MIT is going to fix.

The principal comes from krb_utils.get_principal(). Are you saying that
after MIT Krb5 is fixed, this function will not return a principal
anymore? If so, it needs to be fixed to use some different interface to
return a principal even after MIT Krb5 is fixed, we don't want a
function called get_principal to *not* return a principal.

No, get_principal won't change. Robbie doesn't like the
principal.partition('@'), which could maybe be replaced by call to
display_as (on a gssapi.Name object that would be obtained in some other
way). But display_as doesn't work. I'm saying maybe replaced, because
I'm getting "operation not supported" from kerberos when trying to
excercise the not-buggy code path of display_as.

We use "principal.split('@')" in different parts of IPA, so IMO it's OK.

Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to