After porting to gssapi, the ipa command prints ugly traceback when kerberos credentials are not available. Rewrapping to CCacheError when getting the principal name results in nicer error message.

https://fedorahosted.org/freeipa/ticket/5272
From 227df758d0ac0cfc971a39e63c33bc4bfc0e992b Mon Sep 17 00:00:00 2001
From: Michael Simacek <msima...@redhat.com>
Date: Mon, 31 Aug 2015 14:04:33 +0200
Subject: [PATCH] Rewrap errors in get_principal to CCacheError

Causes nicer error message when kerberos credentials are not available.

https://fedorahosted.org/freeipa/ticket/5272
---
 install/tools/ipa-adtrust-install |  2 +-
 ipalib/krb_utils.py               | 10 ++++++++--
 ipalib/rpc.py                     |  6 ++++--
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 9ff1ac9be24a9f16f59ebe8dd46b2ff0d27b06aa..92c6ef3bda16de8e45a2a12011181541bbb0672c 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -306,7 +306,7 @@ def main():
 
     try:
         principal = krb_utils.get_principal()
-    except gssapi.exceptions.GSSError as e:
+    except errors.CCacheError as e:
         sys.exit("Must have Kerberos credentials to setup AD trusts on server: %s" % e.message)
 
     try:
diff --git a/ipalib/krb_utils.py b/ipalib/krb_utils.py
index db1cffc1e32a2e50fba64897ff1eba005f90fdc3..71348e8c895e963cca72b0e7267188a36b595399 100644
--- a/ipalib/krb_utils.py
+++ b/ipalib/krb_utils.py
@@ -168,9 +168,15 @@ def get_principal(ccache_name=None):
         default
     :returns:
       Default principal name as string
+    :raises:
+      errors.CCacheError if the principal cannot be retrieved from given
+      ccache
     '''
-    creds = get_credentials(ccache_name=ccache_name)
-    return unicode(creds.name)
+    try:
+        creds = get_credentials(ccache_name=ccache_name)
+        return unicode(creds.name)
+    except gssapi.exceptions.GSSError as e:
+        raise errors.CCacheError(str(e))
 
 def get_credentials_if_valid(name=None, ccache_name=None):
     '''
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index dcbfafe0567d653273fccb96d31d4c407fdf256c..a3580453fa4631f5e8c90591cdf6ea31b3a356ff 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -67,7 +67,7 @@ import ipapython.nsslib
 from ipapython.nsslib import NSSHTTPS, NSSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
                              KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
-                             KRB5_REALM_CANT_RESOLVE, get_principal
+                             KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
 from ipapython.dn import DN
 from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
 from ipalib import api
@@ -532,6 +532,8 @@ class KerbTransport(SSLTransport):
             raise errors.BadCCacheFormat()
         elif minor == KRB5_REALM_CANT_RESOLVE:
             raise errors.CannotResolveKDC()
+        elif minor == KRB5_CC_NOTFOUND:
+            raise errors.CCacheError()
         else:
             raise errors.KerberosError(major=e.maj_code, minor=minor)
 
@@ -839,7 +841,7 @@ class RPCClient(Connectible):
             # is still valid
             if not delegate:
                 rpc_uri = self.apply_session_cookie(rpc_uri)
-        except ValueError:
+        except (errors.CCacheError, ValueError):
             # No session key, do full Kerberos auth
             pass
         # This might be dangerous. Use at your own risk!
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to