Bug 476181 - update to python-kerberos package broke freeipa
update to python-kerberos package broke freeipa
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: python-kerberos (Show other bugs)
10
All Linux
high Severity high
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 476535
  Show dependency treegraph
 
Reported: 2008-12-12 04:43 EST by Alan Pevec
Modified: 2016-04-26 18:15 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-17 19:36:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Rob's patch for python-kerberos-1.1 posted on ovirt-devel (3.43 KB, patch)
2008-12-12 04:44 EST, Alan Pevec
no flags Details | Diff
Alternative patch (5.25 KB, patch)
2008-12-12 19:51 EST, Simo Sorce
no flags Details | Diff
Slightly modified patch that accped named arguments (6.02 KB, patch)
2008-12-15 09:39 EST, Simo Sorce
no flags Details | Diff

  None (edit)
Description Alan Pevec 2008-12-12 04:43:08 EST
Description of problem:
*From Perry Myers*
If I downgrade to python-kerberos-1.0-6.fc9.x86_64.rpm I can do:
    [root@management ~]# ipa-finduser foo
    No entries found for foo
But if I upgrade to python-kerberos-1.1-1.fc10.x86_64.rpm I get:
    [root@management ~]# ipa-finduser foo
    Did not receive Kerberos credentials.

*Reply from Rob Crittenden*
The problem is that PyKerberos doesn't support delegation. python-kerberos 1.0 had a patch which set the delegation flag on every request. A rather short-sighted fix, in retrospect.

A slightly better fix, which will also require a change in freeipa, is attached. This adds an optional, unnamed argument to authGSSClientInit() to request delegation. The new call signature looks like:

authGSSClientInit(service, False)

The fix for freeipa is to add a second argument, True, to krbtransport.py, ~line 37. Should look something like this, minus proper spacing:

   rc, vc = kerberos.authGSSClientInit(service, True)

Version-Release number of selected component (if applicable):
ipa-1.2.0-3.fc10
python-kerberos-1.1-1.fc10
Comment 1 Alan Pevec 2008-12-12 04:44:31 EST
Created attachment 326716 [details]
Rob's patch for python-kerberos-1.1 posted on ovirt-devel
Comment 2 Alan Pevec 2008-12-12 08:21:17 EST
scratch Koji builds for oVirt with the above patches:

* python-kerberos-1.1-1.1ovirt.fc10
http://koji.fedoraproject.org/koji/taskinfo?taskID=994768

* ipa-1.2.1-0.1ovirt.fc10
http://koji.fedoraproject.org/koji/taskinfo?taskID=994773
Comment 3 Simo Sorce 2008-12-12 19:51:26 EST
Created attachment 326797 [details]
Alternative patch

I attached an alternative patch that exposes all GSS Flags.
I think this patch may have a better chance to get accepted upstream and will let us have more control on all flags in case we need to.

This patch will require a different change in krbtransport.py

 rc, vc = kerberos.authGSSClientInit(service, kerberos.GSS_C_MUTUAL_FLAG|
                                              kerberos.GSS_C_SEQUENCE_FLAG|
                                              kerberos.GSS_C_DELEG_FLAG)


I've tested this and it works fine in my F10

What do you think Rob ?
Comment 4 Rob Crittenden 2008-12-15 09:14:36 EST
Looks good to me.
Comment 5 Simo Sorce 2008-12-15 09:39:09 EST
Created attachment 326949 [details]
Slightly modified patch that accped named arguments

Same as my previous patch but this will accpet that arguments are passed with a name like: gssflags=kerberos.GSS_C_FOO_FLAG
Comment 6 Fedora Update System 2008-12-15 14:14:12 EST
python-kerberos-1.1-3.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/python-kerberos-1.1-3.fc10
Comment 7 Fedora Update System 2008-12-15 14:16:46 EST
python-kerberos-1.1-3.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/python-kerberos-1.1-3.fc9
Comment 8 Fedora Update System 2008-12-17 19:36:28 EST
python-kerberos-1.1-3.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2008-12-17 19:38:02 EST
python-kerberos-1.1-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.