Re: [Freeipa-devel] [PATCH 0004] Rewrap errors in get_principal to CCacheError

2015-09-22 Thread David Kupka 

On 04/09/15 17:07, Michael Šimáček wrote:

On 2015-09-03 14:32, Tomas Babej wrote:



On 09/03/2015 12:54 PM, Michael Šimáček wrote:

After porting to gssapi, the ipa command prints ugly traceback when
kerberos credentials are not available. Rewrapping to CCacheError when
getting the principal name results in nicer error message.

https://fedorahosted.org/freeipa/ticket/5272




This fixes the issue, however, I am getting a trailing forward slash in
the error message:

$ ipa user-find
ipa: ERROR: Kerberos error: did not receive Kerberos credentials/



Attaching updated revision. I altered more places where kerberos errors
were used.

Michael



Thanks, patch works for me, ACK.

--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0004] Rewrap errors in get_principal to CCacheError

2015-09-22 Thread Jan Cholasta 

On 22.9.2015 13:20, David Kupka wrote:

On 04/09/15 17:07, Michael Šimáček wrote:

On 2015-09-03 14:32, Tomas Babej wrote:



On 09/03/2015 12:54 PM, Michael Šimáček wrote:

After porting to gssapi, the ipa command prints ugly traceback when
kerberos credentials are not available. Rewrapping to CCacheError when
getting the principal name results in nicer error message.

https://fedorahosted.org/freeipa/ticket/5272




This fixes the issue, however, I am getting a trailing forward slash in
the error message:

$ ipa user-find
ipa: ERROR: Kerberos error: did not receive Kerberos credentials/



Attaching updated revision. I altered more places where kerberos errors
were used.

Michael



Thanks, patch works for me, ACK.



Pushed to master: bdccebbcdb9eb7da476762743121c1e73f95fa10

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0004] Rewrap errors in get_principal to CCacheError

2015-09-04 Thread Michael Šimáček 

On 2015-09-03 14:32, Tomas Babej wrote:



On 09/03/2015 12:54 PM, Michael Šimáček wrote:

After porting to gssapi, the ipa command prints ugly traceback when
kerberos credentials are not available. Rewrapping to CCacheError when
getting the principal name results in nicer error message.

https://fedorahosted.org/freeipa/ticket/5272




This fixes the issue, however, I am getting a trailing forward slash in
the error message:

$ ipa user-find
ipa: ERROR: Kerberos error: did not receive Kerberos credentials/



Attaching updated revision. I altered more places where kerberos errors 
were used.


Michael
From 50095b3ab224a871ac3bd6e7823755cdba744b60 Mon Sep 17 00:00:00 2001
From: Michael Simacek 
Date: Mon, 31 Aug 2015 14:04:33 +0200
Subject: [PATCH] Rewrap errors in get_principal to CCacheError

Causes nicer error message when kerberos credentials are not available.

https://fedorahosted.org/freeipa/ticket/5272
---
 install/tools/ipa-adtrust-install |  2 +-
 ipalib/krb_utils.py   | 10 --
 ipalib/rpc.py | 10 ++
 ipaserver/rpcserver.py|  2 +-
 4 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 9ff1ac9be24a9f16f59ebe8dd46b2ff0d27b06aa..92c6ef3bda16de8e45a2a12011181541bbb0672c 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -306,7 +306,7 @@ def main():
 
 try:
 principal = krb_utils.get_principal()
-except gssapi.exceptions.GSSError as e:
+except errors.CCacheError as e:
 sys.exit("Must have Kerberos credentials to setup AD trusts on server: %s" % e.message)
 
 try:
diff --git a/ipalib/krb_utils.py b/ipalib/krb_utils.py
index db1cffc1e32a2e50fba64897ff1eba005f90fdc3..019f7ab6cee7f441489c4bd6dd84eb423b2ff6ca 100644
--- a/ipalib/krb_utils.py
+++ b/ipalib/krb_utils.py
@@ -168,9 +168,15 @@ def get_principal(ccache_name=None):
 default
 :returns:
   Default principal name as string
+:raises:
+  errors.CCacheError if the principal cannot be retrieved from given
+  ccache
 '''
-creds = get_credentials(ccache_name=ccache_name)
-return unicode(creds.name)
+try:
+creds = get_credentials(ccache_name=ccache_name)
+return unicode(creds.name)
+except gssapi.exceptions.GSSError as e:
+raise errors.CCacheError(message=unicode(e))
 
 def get_credentials_if_valid(name=None, ccache_name=None):
 '''
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index dcbfafe0567d653273fccb96d31d4c407fdf256c..6b666418769ffdf0f9ac6242d765a6bd965d4c80 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -67,7 +67,7 @@ import ipapython.nsslib
 from ipapython.nsslib import NSSHTTPS, NSSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
- KRB5_REALM_CANT_RESOLVE, get_principal
+ KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
 from ipapython.dn import DN
 from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
 from ipalib import api
@@ -532,8 +532,10 @@ class KerbTransport(SSLTransport):
 raise errors.BadCCacheFormat()
 elif minor == KRB5_REALM_CANT_RESOLVE:
 raise errors.CannotResolveKDC()
+elif minor == KRB5_CC_NOTFOUND:
+raise errors.CCacheError()
 else:
-raise errors.KerberosError(major=e.maj_code, minor=minor)
+raise errors.KerberosError(message=unicode(e))
 
 def get_host_info(self, host):
 """
@@ -839,7 +841,7 @@ class RPCClient(Connectible):
 # is still valid
 if not delegate:
 rpc_uri = self.apply_session_cookie(rpc_uri)
-except ValueError:
+except (errors.CCacheError, ValueError):
 # No session key, do full Kerberos auth
 pass
 # This might be dangerous. Use at your own risk!
@@ -885,7 +887,7 @@ class RPCClient(Connectible):
 break
 except KerberosError as krberr:
 # kerberos error on one server is likely on all
-raise errors.KerberosError(major=str(krberr), minor='')
+raise errors.KerberosError(message=unicode(krberr))
 except ProtocolError as e:
 if hasattr(context, 'session_cookie') and e.errcode == 401:
 # Unauthorized. Remove the session and try again.
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 3b0fee534eba1d2b902df72c859253cfcbd053fe..84b440a42c288edeeccf90c254ae4b930068d42c 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -964,7 +964,7 @@ class login_password(Backend, KerberosSession, HTTP_Status):
 try:
 ipautil.kinit_keytab(armor_principal, paths.IPA_KEYTAB,

[Freeipa-devel] [PATCH 0004] Rewrap errors in get_principal to CCacheError

2015-09-03 Thread Michael Šimáček 
After porting to gssapi, the ipa command prints ugly traceback when 
kerberos credentials are not available. Rewrapping to CCacheError when 
getting the principal name results in nicer error message.


https://fedorahosted.org/freeipa/ticket/5272
From 227df758d0ac0cfc971a39e63c33bc4bfc0e992b Mon Sep 17 00:00:00 2001
From: Michael Simacek 
Date: Mon, 31 Aug 2015 14:04:33 +0200
Subject: [PATCH] Rewrap errors in get_principal to CCacheError

Causes nicer error message when kerberos credentials are not available.

https://fedorahosted.org/freeipa/ticket/5272
---
 install/tools/ipa-adtrust-install |  2 +-
 ipalib/krb_utils.py   | 10 --
 ipalib/rpc.py |  6 --
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 9ff1ac9be24a9f16f59ebe8dd46b2ff0d27b06aa..92c6ef3bda16de8e45a2a12011181541bbb0672c 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -306,7 +306,7 @@ def main():
 
 try:
 principal = krb_utils.get_principal()
-except gssapi.exceptions.GSSError as e:
+except errors.CCacheError as e:
 sys.exit("Must have Kerberos credentials to setup AD trusts on server: %s" % e.message)
 
 try:
diff --git a/ipalib/krb_utils.py b/ipalib/krb_utils.py
index db1cffc1e32a2e50fba64897ff1eba005f90fdc3..71348e8c895e963cca72b0e7267188a36b595399 100644
--- a/ipalib/krb_utils.py
+++ b/ipalib/krb_utils.py
@@ -168,9 +168,15 @@ def get_principal(ccache_name=None):
 default
 :returns:
   Default principal name as string
+:raises:
+  errors.CCacheError if the principal cannot be retrieved from given
+  ccache
 '''
-creds = get_credentials(ccache_name=ccache_name)
-return unicode(creds.name)
+try:
+creds = get_credentials(ccache_name=ccache_name)
+return unicode(creds.name)
+except gssapi.exceptions.GSSError as e:
+raise errors.CCacheError(str(e))
 
 def get_credentials_if_valid(name=None, ccache_name=None):
 '''
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index dcbfafe0567d653273fccb96d31d4c407fdf256c..a3580453fa4631f5e8c90591cdf6ea31b3a356ff 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -67,7 +67,7 @@ import ipapython.nsslib
 from ipapython.nsslib import NSSHTTPS, NSSConnection
 from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \
  KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, \
- KRB5_REALM_CANT_RESOLVE, get_principal
+ KRB5_REALM_CANT_RESOLVE, KRB5_CC_NOTFOUND, get_principal
 from ipapython.dn import DN
 from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
 from ipalib import api
@@ -532,6 +532,8 @@ class KerbTransport(SSLTransport):
 raise errors.BadCCacheFormat()
 elif minor == KRB5_REALM_CANT_RESOLVE:
 raise errors.CannotResolveKDC()
+elif minor == KRB5_CC_NOTFOUND:
+raise errors.CCacheError()
 else:
 raise errors.KerberosError(major=e.maj_code, minor=minor)
 
@@ -839,7 +841,7 @@ class RPCClient(Connectible):
 # is still valid
 if not delegate:
 rpc_uri = self.apply_session_cookie(rpc_uri)
-except ValueError:
+except (errors.CCacheError, ValueError):
 # No session key, do full Kerberos auth
 pass
 # This might be dangerous. Use at your own risk!
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0004] Rewrap errors in get_principal to CCacheError

2015-09-03 Thread Tomas Babej 


On 09/03/2015 12:54 PM, Michael Šimáček wrote:
> After porting to gssapi, the ipa command prints ugly traceback when
> kerberos credentials are not available. Rewrapping to CCacheError when
> getting the principal name results in nicer error message.
> 
> https://fedorahosted.org/freeipa/ticket/5272
> 
> 

This fixes the issue, however, I am getting a trailing forward slash in
the error message:

$ ipa user-find
ipa: ERROR: Kerberos error: did not receive Kerberos credentials/

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code