def save_principals(self, keytab): if not keytab: return False keytab_file = self.cleaned_data.get("keytab_file") regex = re.compile( '^(\d+)\s+([\w-]+(\s+\(\d+\))?)\s+([^\s]+)\s+([\d+\-]+)(\s+)?$' ) tmpfile = tempfile.mktemp(dir="/tmp") with open(tmpfile, 'w') as f: decoded = base64.b64decode(keytab_file) f.write(decoded) f.close() (res, out, err) = run("/usr/sbin/ktutil -vk '%s' list" % tmpfile) if res != 0: log.debug("save_principals(): %s", err) os.unlink(tmpfile) return False os.unlink(tmpfile) ret = False out = out.splitlines() if not out: return False for line in out: line = line.strip() if not line: continue m = regex.match(line) if m: try: kp = models.KerberosPrincipal() kp.principal_keytab = keytab kp.principal_version = int(m.group(1)) kp.principal_encryption = m.group(2) kp.principal_name = m.group(4) kp.principal_timestamp = m.group(5) kp.save() ret = True except Exception as e: log.debug("save_principals(): %s", e) ret = False return ret
def get_kerberos_ticket(self): res = False kinit = False if self.keytab_principal: krb_principal = self.get_kerberos_principal_from_cache() if (krb_principal and krb_principal.upper() == self.keytab_principal.upper()): return True args = [ "/usr/bin/kinit", "--renewable", "-k", "-t", self.keytab_file, self.keytab_principal ] (returncode, stdout, stderr) = run(' '.join(args), timeout=self.timeout) if returncode == 0: kinit = True res = True elif self.krb_realm and self.binddn and self.bindpw: user = self.get_user_by_DN(self.binddn) try: uid = user[1]['uid'][0].decode('utf-8') except Exception: uid = user[1]['uid'][0] try: bindpw = self.bindpw.encode('utf-8') except Exception: bindpw = self.bindpw krb_principal = self.get_kerberos_principal_from_cache() principal = "%s@%s" % (uid, self.krb_realm) if krb_principal and krb_principal.upper() == principal.upper(): return True (fd, fname) = tempfile.mkstemp(dir="/tmp", text=True) os.write(fd, bindpw) os.fchmod(fd, 0o777) os.close(fd) args = [ "/usr/bin/kinit", "--renewable", "--password-file=%s" % fname, "%s" % principal ] (returncode, stdout, stderr) = run(' '.join(args), timeout=self.timeout) if returncode == 0: kinit = True res = True os.unlink(fname) if kinit: i = 0 while i < self.timeout: if self.kerberos_cache_has_ticket(): res = True break time.sleep(1) i += 1 return res