Description of problem: *From Perry Myers* If I downgrade to python-kerberos-1.0-6.fc9.x86_64.rpm I can do: [root@management ~]# ipa-finduser foo No entries found for foo But if I upgrade to python-kerberos-1.1-1.fc10.x86_64.rpm I get: [root@management ~]# ipa-finduser foo Did not receive Kerberos credentials. *Reply from Rob Crittenden* The problem is that PyKerberos doesn't support delegation. python-kerberos 1.0 had a patch which set the delegation flag on every request. A rather short-sighted fix, in retrospect. A slightly better fix, which will also require a change in freeipa, is attached. This adds an optional, unnamed argument to authGSSClientInit() to request delegation. The new call signature looks like: authGSSClientInit(service, False) The fix for freeipa is to add a second argument, True, to krbtransport.py, ~line 37. Should look something like this, minus proper spacing: rc, vc = kerberos.authGSSClientInit(service, True) Version-Release number of selected component (if applicable): ipa-1.2.0-3.fc10 python-kerberos-1.1-1.fc10
Created attachment 326716 [details] Rob's patch for python-kerberos-1.1 posted on ovirt-devel
scratch Koji builds for oVirt with the above patches: * python-kerberos-1.1-1.1ovirt.fc10 http://koji.fedoraproject.org/koji/taskinfo?taskID=994768 * ipa-1.2.1-0.1ovirt.fc10 http://koji.fedoraproject.org/koji/taskinfo?taskID=994773
Created attachment 326797 [details] Alternative patch I attached an alternative patch that exposes all GSS Flags. I think this patch may have a better chance to get accepted upstream and will let us have more control on all flags in case we need to. This patch will require a different change in krbtransport.py rc, vc = kerberos.authGSSClientInit(service, kerberos.GSS_C_MUTUAL_FLAG| kerberos.GSS_C_SEQUENCE_FLAG| kerberos.GSS_C_DELEG_FLAG) I've tested this and it works fine in my F10 What do you think Rob ?
Looks good to me.
Created attachment 326949 [details] Slightly modified patch that accped named arguments Same as my previous patch but this will accpet that arguments are passed with a name like: gssflags=kerberos.GSS_C_FOO_FLAG
python-kerberos-1.1-3.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/python-kerberos-1.1-3.fc10
python-kerberos-1.1-3.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/python-kerberos-1.1-3.fc9
python-kerberos-1.1-3.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
python-kerberos-1.1-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.