def kinit(self, principal, password, ccache_name, use_armor=True): if use_armor: # get anonymous ccache as an armor for FAST to enable OTP auth armor_path = os.path.join(paths.IPA_CCACHES, "armor_{}".format(os.getpid())) logger.debug('Obtaining armor in ccache %s', armor_path) try: kinit_armor( armor_path, pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], ) except RuntimeError as e: logger.error("Failed to obtain armor cache") # We try to continue w/o armor, 2FA will be impacted armor_path = None else: armor_path = None try: kinit_password(unicode(principal), password, ccache_name, armor_ccache_name=armor_path, enterprise=True, lifetime=self.api.env.kinit_lifetime) if armor_path: logger.debug('Cleanup the armor ccache') ipautil.run([paths.KDESTROY, '-A', '-c', armor_path], env={'KRB5CCNAME': armor_path}, raiseonerr=False) except RuntimeError as e: if ('kinit: Cannot read password while ' 'getting initial credentials') in str(e): raise PasswordExpired(principal=principal, message=unicode(e)) elif ('kinit: Client\'s entry in database' ' has expired while getting initial credentials') in str(e): raise KrbPrincipalExpired(principal=principal, message=unicode(e)) elif ('kinit: Clients credentials have been revoked ' 'while getting initial credentials') in str(e): raise UserLocked(principal=principal, message=unicode(e)) elif ('kinit: Error constructing AP-REQ armor: ' 'Matching credential not found') in str(e): raise KrbPrincipalWrongFAST(principal=principal) raise InvalidSessionPassword(principal=principal, message=unicode(e))
def kinit(self, principal, password, ccache_name): # get anonymous ccache as an armor for FAST to enable OTP auth armor_path = os.path.join(paths.IPA_CCACHES, "armor_{}".format(os.getpid())) self.debug('Obtaining armor in ccache %s', armor_path) try: kinit_armor( armor_path, pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], ) except RuntimeError as e: self.error("Failed to obtain armor cache") # We try to continue w/o armor, 2FA will be impacted armor_path = None try: kinit_password( unicode(principal), password, ccache_name, armor_ccache_name=armor_path, enterprise=True, lifetime=self.api.env.kinit_lifetime) if armor_path: self.debug('Cleanup the armor ccache') ipautil.run([paths.KDESTROY, '-A', '-c', armor_path], env={'KRB5CCNAME': armor_path}, raiseonerr=False) except RuntimeError as e: if ('kinit: Cannot read password while ' 'getting initial credentials') in str(e): raise PasswordExpired(principal=principal, message=unicode(e)) elif ('kinit: Client\'s entry in database' ' has expired while getting initial credentials') in str(e): raise KrbPrincipalExpired(principal=principal, message=unicode(e)) elif ('kinit: Clients credentials have been revoked ' 'while getting initial credentials') in str(e): raise UserLocked(principal=principal, message=unicode(e)) raise InvalidSessionPassword(principal=principal, message=unicode(e))
def kinit(self, user, realm, password, ccache_name): # get anonymous ccache as an armor for FAST to enable OTP auth armor_path = os.path.join(paths.IPA_CCACHES, "armor_{}".format(os.getpid())) self.debug('Obtaining armor in ccache %s', armor_path) try: kinit_armor(armor_path) except RuntimeError as e: self.error("Failed to obtain armor cache") # We try to continue w/o armor, 2FA will be impacted armor_path = None # Format the user as a kerberos principal principal = krb5_format_principal_name(user, realm) try: kinit_password(principal, password, ccache_name, armor_ccache_name=armor_path) if armor_path: self.debug('Cleanup the armor ccache') ipautil.run([paths.KDESTROY, '-A', '-c', armor_path], env={'KRB5CCNAME': armor_path}, raiseonerr=False) except RuntimeError as e: if ('kinit: Cannot read password while ' 'getting initial credentials') in str(e): raise PasswordExpired(principal=principal, message=unicode(e)) elif ('kinit: Client\'s entry in database' ' has expired while getting initial credentials') in str(e): raise KrbPrincipalExpired(principal=principal, message=unicode(e)) elif ('kinit: Clients credentials have been revoked ' 'while getting initial credentials') in str(e): raise UserLocked(principal=principal, message=unicode(e)) raise InvalidSessionPassword(principal=principal, message=unicode(e))