From e77f4daaa968f128b8b229a2df1945334047fe81 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Mon, 2 Dec 2019 15:51:00 +0100
Subject: [PATCH] ansible_freeipa_module: Better support for KRB5CCNAME
 environment variable

The use of gssapi.creds.Credentials is not good if krb5 ticket forwarding
is used. It will fail. gssapi.Credentials with usage and store is the proper
way to do this.
---
 plugins/module_utils/ansible_freeipa_module.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/plugins/module_utils/ansible_freeipa_module.py b/plugins/module_utils/ansible_freeipa_module.py
index 7977a8ea..78895c57 100644
--- a/plugins/module_utils/ansible_freeipa_module.py
+++ b/plugins/module_utils/ansible_freeipa_module.py
@@ -50,10 +50,12 @@ def valid_creds(module, principal):
     Get valid credintials matching the princial, try GSSAPI first
     """
     if "KRB5CCNAME" in os.environ:
-        module.debug('KRB5CCNAME set to %s' %
-                     os.environ.get('KRB5CCNAME', None))
+        ccache = os.environ["KRB5CCNAME"]
+        module.debug('KRB5CCNAME set to %s' % ccache)
+
         try:
-            cred = gssapi.creds.Credentials()
+            cred = gssapi.Credentials(usage='initiate',
+                                      store={'ccache': ccache})
         except gssapi.raw.misc.GSSError as e:
             module.fail_json(msg='Failed to find default ccache: %s' % e)
         else:
-- 
GitLab