search

tkdchen / python-krbcontext

Moved to krbcontext organization. New repository is https://github.com/krbcontext/python-krbcontext
GNU General Public License v3.0
8 stars 1 forks source link

Credentials cache permissions incorrect #9

Closed T0MASD closed 10 years ago

T0MASD commented 10 years ago

Hi, Firstly thanks for the tool. I'm using krbcontext with a keytab on my pyramid app:

    with krbcontext(using_keytab=True,
                    principal=settings['krbcontext_principal'],
                    keytab_file=settings['krbcontext_keytab_file'],
                    ):
        gssapiTransport = HTTPSGssapiTransport(settings['krb_domain'], verbose=0)
        server = xmlrpclib.ServerProxy(settings['rpc_url'], transport=gssapiTransport)

all goes well, a krb credential cache is created as /tmp/krb5cc_48: -rw-------. 1 apache apache 1306 Mar 10 09:46 /tmp/krb5cc_48

However once the credential cache expires, krbcontext doesn't seem to be renewing it properly:

[Mon Mar 10 09:15:14 2014] [error]    File "/apps/keel/keel/helpers/user.py", line 29, in orgchart_query
[Mon Mar 10 09:15:14 2014] [error]      keytab_file=settings['krbcontext_keytab_file'],
[Mon Mar 10 09:15:14 2014] [error]    File "/usr/lib64/python2.6/contextlib.py", line 16, in __enter__
[Mon Mar 10 09:15:14 2014] [error]      return self.gen.next()
[Mon Mar 10 09:15:14 2014] [error]    File "/usr/lib/python2.6/site-packages/krbcontext/context.py", line 184, in krbcontext
[Mon Mar 10 09:15:14 2014] [error]      inited, old_ccache = init_ccache_if_necessary(context, kwargs)
[Mon Mar 10 09:15:14 2014] [error]    File "/usr/lib/python2.6/site-packages/krbcontext/context.py", line 155, in init_ccache_if_necessary
[Mon Mar 10 09:15:14 2014] [error]      init_required = is_initialize_ccache_necessary(context, ccache, principal)
[Mon Mar 10 09:15:14 2014] [error]    File "/usr/lib/python2.6/site-packages/krbcontext/context.py", line 76, in is_initialize_ccache_necessary
[Mon Mar 10 09:15:14 2014] [error]      cred_time = get_tgt_time(context, ccache, principal)
[Mon Mar 10 09:15:14 2014] [error]    File "/usr/lib/python2.6/site-packages/krbcontext/utils.py", line 33, in get_tgt_time
[Mon Mar 10 09:15:14 2014] [error]      result = ccache.get_credentials(creds, krbV.KRB5_GC_CACHED, 0)
[Mon Mar 10 09:15:14 2014] [error]  Krb5Error: (-1765328190, 'Credentials cache permissions incorrect')

After I've restarted my apache server, everything started working again.

T0MASD commented 10 years ago

I think this may be my bad, I didn't check file perms before I restarted apache, expired ticket cache renewed fine after 24 hours. NOTABUG

tkdchen commented 10 years ago

Glad to see ur problem was solved.

tkdchen commented 10 years ago

krbcontext has an important bugfix. Please upgrade to 0.3.3 for your project. We are using krbcontext in django-based project, and Apache in prefork + mod_wsgi. Feel free to let me know any issue in your side. Thanks. :)