def acquire_service_ticket(service, host, keytab_path=None, acquire_tgt_automatically=True):
"""Acquire a service ticket for the service and host specified, if a valid
service ticket is not already in the default credential cache. Example:
acquire_service_ticket("HTTP", "jinx.lindenlab.com")
This would acquire a ticket for HTTP/jinx.lindenlab.com. The ticket is
acquired using the TGT already on file which the user acquired by running
"kinit". If the user has no valid, current TGT on file, and
acquire_tgt_automatically is True, then the user will be prompted for a
password to acquire a TGT (as if kinit were run).
This function returns True if the credential cache has a valid ticket for
the specified service, or False if the ticket could not be acquired.
"""
if have_service_ticket(service, host):
return True
if not have_tgt():
if acquire_tgt_automatically:
if keytab_path:
principal = krb5.Principal(name="%s/%s" %(service, host), kt_path=keytab_path)
elif not acquire_tgt():
return False
principal = krb5.get_login_principal()
return principal.get_service_ticket(host, service)
def have_tgt():
try:
principal = krb5.get_login_principal()
# Okay, we have the kerberos principal they authenticated against. But is
# it a TGT?
creds = principal.get_credentials()
for cred in creds:
if cred.server.startswith("krbtgt/"):
if not _cred_expired(cred):
return True
except RuntimeError, e:
# krb5 uses this Exception type to indicate that something went wrong.
return False
def have_service_ticket(service, host):
"""Checks whether the default credential cache contains a ticket for the
specified service and host.
"""
try:
principal = krb5.get_login_principal()
except RuntimeError:
return False
service_name = "%s/%s@%s" % (service, host, krb5.get_default_realm())
creds = principal.get_credentials()
for cred in creds:
if cred.server == service_name:
if not _cred_expired(cred):
return True
return False