Bug 476181
| Summary: | update to python-kerberos package broke freeipa | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Alan Pevec <apevec> | ||||||||
| Component: | python-kerberos | Assignee: | Rob Crittenden <rcritten> | ||||||||
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | high | ||||||||||
| Version: | 10 | CC: | apevec, mnagy, rcritten, ssorce | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2008-12-18 00:36:31 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 476535 | ||||||||||
| Attachments: |
|
||||||||||
Created attachment 326716 [details]
Rob's patch for python-kerberos-1.1 posted on ovirt-devel
scratch Koji builds for oVirt with the above patches: * python-kerberos-1.1-1.1ovirt.fc10 http://koji.fedoraproject.org/koji/taskinfo?taskID=994768 * ipa-1.2.1-0.1ovirt.fc10 http://koji.fedoraproject.org/koji/taskinfo?taskID=994773 Created attachment 326797 [details]
Alternative patch
I attached an alternative patch that exposes all GSS Flags.
I think this patch may have a better chance to get accepted upstream and will let us have more control on all flags in case we need to.
This patch will require a different change in krbtransport.py
rc, vc = kerberos.authGSSClientInit(service, kerberos.GSS_C_MUTUAL_FLAG|
kerberos.GSS_C_SEQUENCE_FLAG|
kerberos.GSS_C_DELEG_FLAG)
I've tested this and it works fine in my F10
What do you think Rob ?
Looks good to me. Created attachment 326949 [details]
Slightly modified patch that accped named arguments
Same as my previous patch but this will accpet that arguments are passed with a name like: gssflags=kerberos.GSS_C_FOO_FLAG
python-kerberos-1.1-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/python-kerberos-1.1-3.fc10 python-kerberos-1.1-3.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/python-kerberos-1.1-3.fc9 python-kerberos-1.1-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. python-kerberos-1.1-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: *From Perry Myers* If I downgrade to python-kerberos-1.0-6.fc9.x86_64.rpm I can do: [root@management ~]# ipa-finduser foo No entries found for foo But if I upgrade to python-kerberos-1.1-1.fc10.x86_64.rpm I get: [root@management ~]# ipa-finduser foo Did not receive Kerberos credentials. *Reply from Rob Crittenden* The problem is that PyKerberos doesn't support delegation. python-kerberos 1.0 had a patch which set the delegation flag on every request. A rather short-sighted fix, in retrospect. A slightly better fix, which will also require a change in freeipa, is attached. This adds an optional, unnamed argument to authGSSClientInit() to request delegation. The new call signature looks like: authGSSClientInit(service, False) The fix for freeipa is to add a second argument, True, to krbtransport.py, ~line 37. Should look something like this, minus proper spacing: rc, vc = kerberos.authGSSClientInit(service, True) Version-Release number of selected component (if applicable): ipa-1.2.0-3.fc10 python-kerberos-1.1-1.fc10