def kinit(self, principal, password, ccache_name, use_armor=True):
if use_armor:
# get anonymous ccache as an armor for FAST to enable OTP auth
armor_path = os.path.join(paths.IPA_CCACHES,
"armor_{}".format(os.getpid()))
logger.debug('Obtaining armor in ccache %s', armor_path)
try:
kinit_armor(
armor_path,
pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
)
except RuntimeError as e:
logger.error("Failed to obtain armor cache")
# We try to continue w/o armor, 2FA will be impacted
armor_path = None
else:
armor_path = None
try:
kinit_password(unicode(principal),
password,
ccache_name,
armor_ccache_name=armor_path,
enterprise=True,
lifetime=self.api.env.kinit_lifetime)
if armor_path:
logger.debug('Cleanup the armor ccache')
ipautil.run([paths.KDESTROY, '-A', '-c', armor_path],
env={'KRB5CCNAME': armor_path},
raiseonerr=False)
except RuntimeError as e:
if ('kinit: Cannot read password while '
'getting initial credentials') in str(e):
raise PasswordExpired(principal=principal, message=unicode(e))
elif ('kinit: Client\'s entry in database'
' has expired while getting initial credentials') in str(e):
raise KrbPrincipalExpired(principal=principal,
message=unicode(e))
elif ('kinit: Clients credentials have been revoked '
'while getting initial credentials') in str(e):
raise UserLocked(principal=principal, message=unicode(e))
elif ('kinit: Error constructing AP-REQ armor: '
'Matching credential not found') in str(e):
raise KrbPrincipalWrongFAST(principal=principal)
raise InvalidSessionPassword(principal=principal,
message=unicode(e))
def kinit(self, principal, password, ccache_name):
# get anonymous ccache as an armor for FAST to enable OTP auth
armor_path = os.path.join(paths.IPA_CCACHES,
"armor_{}".format(os.getpid()))
self.debug('Obtaining armor in ccache %s', armor_path)
try:
kinit_armor(
armor_path,
pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
)
except RuntimeError as e:
self.error("Failed to obtain armor cache")
# We try to continue w/o armor, 2FA will be impacted
armor_path = None
try:
kinit_password(
unicode(principal),
password,
ccache_name,
armor_ccache_name=armor_path,
enterprise=True,
lifetime=self.api.env.kinit_lifetime)
if armor_path:
self.debug('Cleanup the armor ccache')
ipautil.run([paths.KDESTROY, '-A', '-c', armor_path],
env={'KRB5CCNAME': armor_path}, raiseonerr=False)
except RuntimeError as e:
if ('kinit: Cannot read password while '
'getting initial credentials') in str(e):
raise PasswordExpired(principal=principal, message=unicode(e))
elif ('kinit: Client\'s entry in database'
' has expired while getting initial credentials') in str(e):
raise KrbPrincipalExpired(principal=principal,
message=unicode(e))
elif ('kinit: Clients credentials have been revoked '
'while getting initial credentials') in str(e):
raise UserLocked(principal=principal,
message=unicode(e))
raise InvalidSessionPassword(principal=principal,
message=unicode(e))
def kinit(self, user, realm, password, ccache_name):
# get anonymous ccache as an armor for FAST to enable OTP auth
armor_path = os.path.join(paths.IPA_CCACHES,
"armor_{}".format(os.getpid()))
self.debug('Obtaining armor in ccache %s', armor_path)
try:
kinit_armor(armor_path)
except RuntimeError as e:
self.error("Failed to obtain armor cache")
# We try to continue w/o armor, 2FA will be impacted
armor_path = None
# Format the user as a kerberos principal
principal = krb5_format_principal_name(user, realm)
try:
kinit_password(principal,
password,
ccache_name,
armor_ccache_name=armor_path)
if armor_path:
self.debug('Cleanup the armor ccache')
ipautil.run([paths.KDESTROY, '-A', '-c', armor_path],
env={'KRB5CCNAME': armor_path},
raiseonerr=False)
except RuntimeError as e:
if ('kinit: Cannot read password while '
'getting initial credentials') in str(e):
raise PasswordExpired(principal=principal, message=unicode(e))
elif ('kinit: Client\'s entry in database'
' has expired while getting initial credentials') in str(e):
raise KrbPrincipalExpired(principal=principal,
message=unicode(e))
elif ('kinit: Clients credentials have been revoked '
'while getting initial credentials') in str(e):
raise UserLocked(principal=principal, message=unicode(e))
raise InvalidSessionPassword(principal=principal,
message=unicode(e))
