On 25.8.2015 12:46, Michael Šimáček wrote:
On 2015-08-25 12:38, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Michael Šimáček wrote:
On 2015-08-24 20:29, Robbie Harwood wrote:
Michael Šimáček <msima...@redhat.com> writes:
On 2015-08-24 17:49, Simo Sorce wrote:
On Mon, 2015-08-24 at 17:18 +0200, Michael Šimáček wrote:
On 2015-08-24 14:50, Jan Cholasta wrote:
On 23.8.2015 23:27, Michael Šimáček wrote:
3) ipa-adtrust-install fails with:
admin password:
Unrecognized error during check of admin rights:
ad...@abc.idm.lab.eng.brq.redhat.com: user not found
Apparently there is a "user-show
ad...@abc.idm.lab.eng.brq.redhat.com"
call where a "user-show admin" call should be.
Fixed. python-gssapi has a display_as method that could pull the
name
from it, but it doesn't work in current version, therefore using
partition to split on '@'
It's actually a bug in MIT Krb5, as we noted in your bug[0]. So this:
- user = api.Command.user_show(unicode(principal[0]))['result']
+ user =
api.Command.user_show(principal.partition('@')[0])['result']
is working around a bug in specific Kerberos versions. If people are
okay with merging such code, then I guess this is fine; I would
personally not do so because there is not a clear point at which it can
be removed. At the very least, we should wait until we see what
versions of krb5 MIT is going to fix.
Otherwise, looks good.
[0]: https://github.com/pythongssapi/python-gssapi/issues/79
python-krbV migration is blocking support for Python 3. The bug
doesn't have any fix upstream yet and there are two bugs actually, the
second one is in python-gssapi, which I've just reported [1]. Waiting
for two bugs to be fixed could be detrimental to py3 migration as we
don't have much time left. And I'm no longer sure that display_as
I don't buy this.
We have plenty of time for solving these bugs. Remember, that Samba
DCE RPC bindings aren't migrated to Python 3 either and will not be
before release of Samba 4.4. For Samba 4.3 it is simply too late.
So we are still far away from full Python3 migration for FreeIPA and
waiting for solving these two bugs is OK.
If fixing them solves anything at all. I planned to use
display_as(NameType.user), but when trying it on Name object with
name_type set (which doesn't trigger the segfault), it doesn't seem to
work either. I get:
gssapi.raw.exceptions.OperationUnavailableError: Major (1048576): The
operation or option is not available or unsupported, Minor (0): Unknown
error
Robbie, can you clarify whether display_as could be actually used to get
the first component of the principal reliably?
As I have written in the other thread, we use "principal.split('@')" in
other parts of IPA, so "principal.partition('@')" should be OK as well.
This patch works for me, so ACK.
Unless there are any further objections, I would like to push it.
could be used at all, as I'm getting "operation not supported" on
inputs that don't trigger any of the bugs. I don't think parsing a
string is a big problem. When there will be a different solution
available, I'll submit a new patch. I'm tracking python-gssapi's
issues on github and I won't dissapear after this is merged.
Sure. It is not about you disappearing any time soon, we need to solve
migration issues properly rather than hurrying up for whatever reasons.
--
Jan Cholasta
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
