Simo, Follow up from the conversation we were having today on IRC in #ovirt So it looks like update to python-kerberos package broke freeipa... If I downgrade to python-kerberos-1.0-6.fc9.x86_64.rpm I can do:> [root at management ~]# ipa-finduser foo > No entries found for fooBut if I upgrade to python-kerberos-1.1-1.fc10.x86_64.rpm I get:> [root at management ~]# ipa-finduser foo > Did not receive Kerberos credentials.Not sure if this is a problem with freeipa or python-kerberos... Could be they changed something (it wasn't a major version upgrade, but it was a 1.0 to 1.1 so likely they changed some interface and freeipa needs to be updated to work properly with it) Or could be that python-kerberos has a bug in it. In any case, if you could look try to replicate this let me know what you find out. Thanks! Perry -- |=- Red Hat, Engineering, Emerging Technologies, Boston -=| |=- Email: pmyers at redhat.com -=| |=- Office: +1 412 474 3552 Mobile: +1 703 362 9622 -=| |=- GnuPG: E65E4F3D 88F9 F1C9 C2F3 1303 01FE 817C C5D2 8B91 E65E 4F3D -=|
I'm hitting the same error when running ipa-adduser for an oVirt installation and can replicate it easily, what info do you need? Perry Myers wrote:> Simo, > > Follow up from the conversation we were having today on IRC in #ovirt > > So it looks like update to python-kerberos package broke freeipa... > > If I downgrade to python-kerberos-1.0-6.fc9.x86_64.rpm I can do: > >> [root at management ~]# ipa-finduser foo >> No entries found for foo > > But if I upgrade to python-kerberos-1.1-1.fc10.x86_64.rpm I get: > >> [root at management ~]# ipa-finduser foo >> Did not receive Kerberos credentials. > > Not sure if this is a problem with freeipa or python-kerberos... > Could be they changed something (it wasn't a major version upgrade, > but it was a 1.0 to 1.1 so likely they changed some interface and > freeipa needs to be updated to work properly with it) > > Or could be that python-kerberos has a bug in it. > > In any case, if you could look try to replicate this let me know what > you find out. > > Thanks! > > Perry >
Rob Crittenden
2008-Dec-12 05:09 UTC
[Ovirt-devel] Re: [Freeipa-devel] freeipa cmdline tools failing
Perry Myers wrote:> Simo, > > Follow up from the conversation we were having today on IRC in #ovirt > > So it looks like update to python-kerberos package broke freeipa... > > If I downgrade to python-kerberos-1.0-6.fc9.x86_64.rpm I can do: > >> [root at management ~]# ipa-finduser foo >> No entries found for foo > > But if I upgrade to python-kerberos-1.1-1.fc10.x86_64.rpm I get: > >> [root at management ~]# ipa-finduser foo >> Did not receive Kerberos credentials. > > Not sure if this is a problem with freeipa or python-kerberos... Could > be they changed something (it wasn't a major version upgrade, but it was > a 1.0 to 1.1 so likely they changed some interface and freeipa needs to > be updated to work properly with it) > > Or could be that python-kerberos has a bug in it. > > In any case, if you could look try to replicate this let me know what > you find out.The problem is that PyKerberos doesn't support delegation. python-kerberos 1.0 had a patch which set the delegation flag on every request. A rather short-sighted fix, in retrospect. A slightly better fix, which will also require a change in freeipa, is attached. This adds an optional, unnamed argument to authGSSClientInit() to request delegation. The new call signature looks like: authGSSClientInit(service, False) The fix for freeipa is to add a second argument, True, to krbtransport.py, ~line 37. Should look something like this, minus proper spacing: rc, vc = kerberos.authGSSClientInit(service, True) I suppose the best solution is to provide a mechanism to set whatever flags one wants but my Python-to-C coding knowledge consists of about 10 minutes of reading the Python documentation so I'm not quite ready for that :-) This is briefly tested at best, so YMMV. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: delegate.patch Type: text/x-patch Size: 3517 bytes Desc: not available URL: <http://listman.redhat.com/archives/ovirt-devel/attachments/20081212/e3e8cf00/attachment.bin>