On 26/08/15 09:42, Jan Cholasta wrote:
On 25.8.2015 21:00, Simo Sorce wrote:
On Tue, 2015-08-25 at 20:45 +0200, Michael Šimáček wrote:

On 2015-08-25 18:43, Robbie Harwood wrote:
Jan Cholasta <jchol...@redhat.com> writes:

On 25.8.2015 12:46, Michael Šimáček wrote:
On 2015-08-25 12:38, Alexander Bokovoy wrote:
On Tue, 25 Aug 2015, Michael Šimáček wrote:
On 2015-08-24 20:29, Robbie Harwood wrote:
Michael Šimáček <msima...@redhat.com> writes:
On 2015-08-24 17:49, Simo Sorce wrote:
On Mon, 2015-08-24 at 17:18 +0200, Michael Šimáček wrote:
On 2015-08-24 14:50, Jan Cholasta wrote:

Fixed. python-gssapi has a display_as method that could pull
from it, but it doesn't work in current version, therefore
partition to split on '@'

It's actually a bug in MIT Krb5, as we noted in your bug[0].
So this:

-        user =
+        user =

is working around a bug in specific Kerberos versions.  If
people are
okay with merging such code, then I guess this is fine; I would
personally not do so because there is not a clear point at
which it can
be removed.  At the very least, we should wait until we see what
versions of krb5 MIT is going to fix.

Otherwise, looks good.

[0]: https://github.com/pythongssapi/python-gssapi/issues/79

python-krbV migration is blocking support for Python 3. The bug
doesn't have any fix upstream yet and there are two bugs
actually, the
second one is in python-gssapi, which I've just reported [1].
for two bugs to be fixed could be detrimental to py3 migration
as we
don't have much time left. And I'm no longer sure that display_as

I don't buy this.

We have plenty of time for solving these bugs. Remember, that Samba
DCE RPC bindings aren't migrated to Python 3 either and will not be
before release of Samba 4.4. For Samba 4.3 it is simply too late.

So we are still far away from full Python3 migration for FreeIPA and
waiting for solving these two bugs is OK.

If fixing them solves anything at all. I planned to use
display_as(NameType.user), but when trying it on Name object with
name_type set (which doesn't trigger the segfault), it doesn't
seem to
work either. I get:
gssapi.raw.exceptions.OperationUnavailableError: Major (1048576): The
operation or option is not available or unsupported, Minor (0):

Robbie, can you clarify whether display_as could be actually used
to get
the first component of the principal reliably?

display_as should behave in accordance with its docs; anything else
is a
bug report, which you filed.  I don't know what you're asking me for
beyond that.

Why I mentioned display_as at all is that I initially assumed it could
be used for this, but it was only an assumption because I couldn't get
around the segfault. Later on, the cause of the segfault was found and I
was able to try the method and I found out that it probably cannot be
used for this purpose (i. e. extracting the first component of the
principal) regardless of the two bugs. How I thought it would be used:
import gssapi
cred = gssapi.Credentials()
user = cred.name.display_as(gssapi.NameType.user)

What I got:
gssapi.raw.exceptions.OperationUnavailableError: Major (1048576): The
operation or option is not available or unsupported, Minor (0): Unknown

This seems more like the method is not intended to be used this way. So
I'm asking you whether it is a bug or whether there is another way to do
it. Otherwise display_as cannot be used here.

As I have written in the other thread, we use
"principal.split('@')" in
other parts of IPA, so "principal.partition('@')" should be OK as

This patch works for me, so ACK.

Unless there are any further objections, I would like to push it.

I think the newest iteration of this

user =

is even worse, but if it is decided to merge, then hopefully we can be
rid of it quickly.

It is splitting a string of known format in a way that is used in other
places of freeipa. What is specifically so bad about it? What do you
suggest as an alternative?

Given display_as() currently does not work for you go ahead with this
code. We'll revisit display_as later once we figure out more about the
bug that makes it fail.


Pushed to master: aad73fad601f576dd83b758f4448839b4e8e87df

I think this patch is causing tracebacks when expired or missing kerberos ticket (https://fedorahosted.org/freeipa/ticket/5272).

David Kupka

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to