On 2015-09-03 14:32, Tomas Babej wrote:



On 09/03/2015 12:54 PM, Michael Šimáček wrote:
After porting to gssapi, the ipa command prints ugly traceback when
kerberos credentials are not available. Rewrapping to CCacheError when
getting the principal name results in nicer error message.

https://fedorahosted.org/freeipa/ticket/5272



This fixes the issue, however, I am getting a trailing forward slash in
the error message:

$ ipa user-find
ipa: ERROR: Kerberos error: did not receive Kerberos credentials/


Attaching updated revision. I altered more places where kerberos errors were used.

Michael
From 50095b3ab224a871ac3bd6e7823755cdba744b60 Mon Sep 17 00:00:00 2001
From: Michael Simacek <msima...@redhat.com>
Date: Mon, 31 Aug 2015 14:04:33 +0200
Subject: [PATCH] Rewrap errors in get_principal to CCacheError

Causes nicer error message when kerberos credentials are not available.

https://fedorahosted.org/freeipa/ticket/5272
---
 install/tools/ipa-adtrust-install |  2 +-
 ipalib/krb_utils.py               | 10 ++++++++--
 ipalib/rpc.py                     | 10 ++++++----
 ipaserver/rpcserver.py            |  2 +-
 4 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 9ff1ac9be24a9f16f59ebe8dd46b2ff0d27b06aa..92c6ef3bda16de8e45a2a12011181541bbb0672c 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -306,7 +306,7 @@ def main():
 
     try:
         principal = krb_utils.get_principal()
-    except gssapi.exceptions.GSSError as e:
+    except errors.CCacheError as e:
         sys.exit("Must have Kerberos credentials to setup AD trusts on server: %s" % e.message)
 
     try:
diff --git a/ipalib/krb_utils.py b/ipalib/krb_utils.py
index db1cffc1e32a2e50fba64897ff1eba005f90fdc3..019f7ab6cee7f441489c4bd6dd84eb423b2ff6ca 100644
--- a/ipalib/krb_utils.py
+++ b/ipalib/krb_utils.py
@@ -168,9 +168,15 @@ def get_principal(ccache_name=None):
         default
     :returns:
       Default principal name as string
+    :raises:
+      errors.CCacheError if the principal cannot be retrieved from given
+      ccache
     '''
-    creds = get_credentials(ccache_name=ccache_name)
-    return unicode(creds.name)
+    try:
+        creds = get_credentials(ccache_name=ccache_name)
+        return unicode(creds.name)
+    except gssapi.exceptions.GSSError as e:
+        raise errors.CCacheError(message=unicode(e))
 
 def get_credentials_if_valid(name=None, ccache_name=None):
     '''
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index dcbfafe0567d653273fccb96d31d4c407fdf256c..6b666418769ffdf0f9ac6242d765a6bd965d4c80 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -67,7 +67,7 @@ import ipapython.nsslib
 from ipapython.nsslib import NSSHTTPS, NSSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
                              KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
-                             KRB5_REALM_CANT_RESOLVE, get_principal
+                             KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
 from ipapython.dn import DN
 from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
 from ipalib import api
@@ -532,8 +532,10 @@ class KerbTransport(SSLTransport):
             raise errors.BadCCacheFormat()
         elif minor == KRB5_REALM_CANT_RESOLVE:
             raise errors.CannotResolveKDC()
+        elif minor == KRB5_CC_NOTFOUND:
+            raise errors.CCacheError()
         else:
-            raise errors.KerberosError(major=e.maj_code, minor=minor)
+            raise errors.KerberosError(message=unicode(e))
 
     def get_host_info(self, host):
         """
@@ -839,7 +841,7 @@ class RPCClient(Connectible):
             # is still valid
             if not delegate:
                 rpc_uri = self.apply_session_cookie(rpc_uri)
-        except ValueError:
+        except (errors.CCacheError, ValueError):
             # No session key, do full Kerberos auth
             pass
         # This might be dangerous. Use at your own risk!
@@ -885,7 +887,7 @@ class RPCClient(Connectible):
                 break
             except KerberosError as krberr:
                 # kerberos error on one server is likely on all
-                raise errors.KerberosError(major=str(krberr), minor='')
+                raise errors.KerberosError(message=unicode(krberr))
             except ProtocolError as e:
                 if hasattr(context, 'session_cookie') and e.errcode == 401:
                     # Unauthorized. Remove the session and try again.
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 3b0fee534eba1d2b902df72c859253cfcbd053fe..84b440a42c288edeeccf90c254ae4b930068d42c 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -964,7 +964,7 @@ class login_password(Backend, KerberosSession, HTTP_Status):
         try:
             ipautil.kinit_keytab(armor_principal, paths.IPA_KEYTAB, armor_path)
         except gssapi.exceptions.GSSError as e:
-            raise CCacheError(str(e))
+            raise CCacheError(message=unicode(e))
 
         # Format the user as a kerberos principal
         principal = krb5_format_principal_name(user, realm)
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to