def obtain_or_renew_ticket(principal,
password=None,
renew_life=None,
keytab=False):
ctx = krb5.Context()
cc = krb5.CredentialsCache(ctx)
if have_ticket(principal):
try:
tgt = ctx.renew_tgt(principal, cc)
cc.add(tgt)
except krb5.KrbException:
pass
else:
return
if keytab:
keytab = krb5.Keytab(ctx, '/etc/krb5.keytab')
tgt = ctx.obtain_tgt_keytab(principal, keytab, renew_life=renew_life)
else:
tgt = ctx.obtain_tgt_password(principal,
password,
renew_life=renew_life)
if abs((tgt.starttime - datetime.now()).total_seconds()) > 300:
raise krb5.KrbException("Clock skew too great")
cc.add(tgt)
def generate_keytab(datastore):
ctx = krb5.Context()
sys_keytab = krb5.Keytab(ctx, name='FILE:/etc/krb5.keytab')
sys_keytab.clear()
for i in datastore.query('kerberos.keytabs'):
k = krb5.Keytab(ctx, contents=i['keytab'])
for entry in k.entries:
sys_keytab.add(entry)
def have_ticket(principal):
ctx = krb5.Context()
cc = krb5.CredentialsCache(ctx)
for i in cc.entries:
if i.client == principal:
return True
return False
def query(self, filter=None, params=None):
ctx = krb5.Context()
def extend(keytab):
keytab['entries'] = []
try:
kt = krb5.Keytab(ctx, contents=keytab['keytab'])
for i in kt.entries:
keytab['entries'].append({
'vno': i.vno,
'principal': i.principal,
'enctype': i.enctype
})
except krb5.KrbException:
pass
del keytab['keytab']
return keytab
return q.query(self.datastore.query('kerberos.keytabs',
callback=extend),
*(filter or []),
stream=True,
**(params or {}))