Skip to content
Snippets Groups Projects
Unverified Commit 04a8299b authored by Rafael Guterres Jeffman's avatar Rafael Guterres Jeffman Committed by GitHub
Browse files

Merge pull request #733 from t-woerner/ipaclient_get_otp_no_gssapi

ipaclient_get_keytab: Do not use gssapi for kinit_keytab
parents 78091e22 b0252fb5
Branches
Tags
No related merge requests found
...@@ -65,7 +65,6 @@ Requirements ...@@ -65,7 +65,6 @@ Requirements
**Controller** **Controller**
* Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection) * Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection)
* /usr/bin/kinit is required on the controller if a one time password (OTP) is used * /usr/bin/kinit is required on the controller if a one time password (OTP) is used
* python3-gssapi is required on the controller if a one time password (OTP) is used with keytab to install the client.
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)
...@@ -285,7 +284,8 @@ ipaserver_domain=test.local ...@@ -285,7 +284,8 @@ ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL ipaserver_realm=TEST.LOCAL
``` ```
For enhanced security it is possible to use a auto-generated one-time-password (OTP). This will be generated on the controller using the (first) server. It is needed to have the python-gssapi bindings installed on the controller for this. For enhanced security it is possible to use a auto-generated one-time-password (OTP). This will be generated on the controller using the (first) server.
To enable the generation of the one-time-password: To enable the generation of the one-time-password:
```yaml ```yaml
[ipaclients:vars] [ipaclients:vars]
......
...@@ -33,7 +33,6 @@ Requirements ...@@ -33,7 +33,6 @@ Requirements
**Controller** **Controller**
* Ansible version: 2.8+ * Ansible version: 2.8+
* /usr/bin/kinit is required on the controller if a one time password (OTP) is used * /usr/bin/kinit is required on the controller if a one time password (OTP) is used
* python3-gssapi is required on the controller if a one time password (OTP) is used with keytab
**Node** **Node**
* Supported FreeIPA version (see above) * Supported FreeIPA version (see above)
......
...@@ -21,10 +21,6 @@ from __future__ import (absolute_import, division, print_function) ...@@ -21,10 +21,6 @@ from __future__ import (absolute_import, division, print_function)
__metaclass__ = type __metaclass__ = type
try:
import gssapi
except ImportError:
gssapi = None
import os import os
import shutil import shutil
import subprocess import subprocess
...@@ -82,22 +78,17 @@ def kinit_keytab(principal, keytab, ccache_name, config): ...@@ -82,22 +78,17 @@ def kinit_keytab(principal, keytab, ccache_name, config):
It uses the specified config file to kinit and stores the TGT It uses the specified config file to kinit and stores the TGT
in ccache_name. in ccache_name.
""" """
if gssapi is None: args = ["/usr/bin/kinit", "-kt", keytab, "-c", ccache_name, principal]
raise ImportError("gssapi is not available")
old_config = os.environ.get('KRB5_CONFIG') old_config = os.environ.get('KRB5_CONFIG')
os.environ['KRB5_CONFIG'] = config os.environ["KRB5_CONFIG"] = config
try: try:
name = gssapi.Name(principal, gssapi.NameType.kerberos_principal) return run_cmd(args)
store = {'ccache': ccache_name,
'client_keytab': keytab}
cred = gssapi.Credentials(name=name, store=store, usage='initiate')
return cred
finally: finally:
if old_config is not None: if old_config is not None:
os.environ['KRB5_CONFIG'] = old_config os.environ["KRB5_CONFIG"] = old_config
else: else:
os.environ.pop('KRB5_CONFIG', None) os.environ.pop("KRB5_CONFIG", None)
KRB5CONF_TEMPLATE = """ KRB5CONF_TEMPLATE = """
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment