#747 gssapi keytab login fails on rhel7
Closed: Fixed a year ago Opened 2 years ago by mikem.

e.g. https://jenkins.fedorainfracloud.org/job/koji/635/label=EL7/console

======================================================================
ERROR: test_gssapi_login_keytab (test_gssapi.TestGSSAPI)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/srv/jenkins/workspace/koji/label/EL7/tests/test_lib/test_gssapi.py", line 37, in test_gssapi_login_keytab
    self.session.gssapi_login(principal, keytab, ccache)
  File "/srv/jenkins/workspace/koji/label/EL7/koji/__init__.py", line 2259, in gssapi_login
    self.opts['auth'] = HTTPKerberosAuth(**kwargs)
TypeError: __init__() got an unexpected keyword argument 'principal'

As @puiterwijk pointed out to me, this is because of the very old version of python-requests-kerberos (0.7.0) in epel7, which he plans on updating very soon.

The principal parameter is only passed if it is not None, so this shouldn't break normal gssapi auth on el7, just keytab auth, and only until the epel7 package is updated.

So, this not a 1.15 blocker.

I'm not sure we if want to support this version of the library, but perhaps it would be nice if we checked the library version and gave a better error than the one above.

In practice, on rhel7, the code will fail gssapi auth, but then fall through to the old kerberos auth, which succeeds.

[root@46c20d2bc4b6 koji]# PYTHONPATH=. cli/koji --debug -p stg --keytab /root/mikem.stg.keytab --principal mikem@STG.FEDORAPROJECT.ORG hello
2017-12-13 02:10:09,968 [DEBUG] koji: Opening new requests session
2017-12-13 02:10:09,972 [DEBUG] koji: Opening new requests session
2017-12-13 02:10:09,972 [DEBUG] koji: gssapi auth failed: TypeError: __init__() got an unexpected keyword argument 'principal'

2017-12-13 02:10:13,322 [DEBUG] koji: Using server principal: host/koji.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG
successfully connected to hub
bonjour, mikem!

You are using the hub at https://koji.stg.fedoraproject.org/kojihub
Authenticated via Kerberos principal mikem@STG.FEDORAPROJECT.ORG

@puiterwijk is the python-gssapi update for epel7 tracked anywhere?

I'm curious how you got a Fedora keytab :)

Commit becc88c fixes this issue

Commit af1a858 relates to this ticket

Metadata Update from @mikem:
- Issue set to the milestone: 1.16

a year ago

Login to comment on this ticket.

Metadata