ansible_freeipa_module: Better support for KRB5CCNAME environment variable

The use of gssapi.creds.Credentials is not good if krb5 ticket forwarding is used. It will fail. gssapi.Credentials with usage and store is the proper way to do this.

ansible_freeipa_module: Better support for KRB5CCNAME environment variable
e77f4daa · Thomas Woerner · 8da4b73b · e77f4daa
Commit e77f4daa authored 5 years ago by Thomas Woerner
--- a/plugins/module_utils/ansible_freeipa_module.py
+++ b/plugins/module_utils/ansible_freeipa_module.py
@@ -50,10 +50,12 @@ def valid_creds(module, principal):
    Get valid credintials matching the princial, try GSSAPI first
    """
    if "KRB5CCNAME" in os.environ:
-        module.debug('KRB5CCNAME set to %s' %
+        ccache = os.environ["KRB5CCNAME"]
-                     os.environ.get('KRB5CCNAME', None))
+        module.debug('KRB5CCNAME set to %s' % ccache)
        try:
-            cred = gssapi.creds.Credentials()
+            cred = gssapi.Credentials(usage='initiate',
+                                      store={'ccache': ccache})
        except gssapi.raw.misc.GSSError as e:
            module.fail_json(msg='Failed to find default ccache: %s' % e)
        else: