From ronaldw at ronzo.at Tue Nov 30 09:58:51 2021
Content-Type: multipart/mixed; boundary="===============4921667188686791850=="
MIME-Version: 1.0
From: Ronald Wimmer <ronaldw at ronzo.at>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Python ipalib
Date: Tue, 30 Nov 2021 10:57:48 +0100
Message-ID: <4f0b6645-42ea-0937-bfb3-178bd0df3198@ronzo.at>

--===============4921667188686791850==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

When I started writing python scripts communicating with the IPA API =

some years ago I used the python-freeipa library =

(https://python-freeipa.readthedocs.io/en/latest/ ). When I revisited =

one of my scripts today I was wondering why I was using python-freeipa =

and not ipalib that comes with every freeipa-client installation.

My guess is that ipalib is the way to go because it comes directly from =

you.

Is there any good reason for sticking with python-freeipa? (I doubt it...)

What are your thoughts?

Cheers,
Ronald
--===============4921667188686791850==--

From ronaldw at ronzo.at Tue Nov 30 10:29:03 2021
Content-Type: multipart/mixed; boundary="===============8792553129085368297=="
MIME-Version: 1.0
From: Ronald Wimmer <ronaldw at ronzo.at>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Python ipalib
Date: Tue, 30 Nov 2021 11:27:57 +0100
Message-ID: <664641a6-7b3d-d748-c8b0-00a0b9483a19@ronzo.at>
In-Reply-To: 4f0b6645-42ea-0937-bfb3-178bd0df3198@ronzo.at

--===============8792553129085368297==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

What I dislike is that the output of a very simple curl command told me =

that there was a problem with insufficient access:

curl --negotiate https://ipa07.linux.mydomain.at/ipa/session/json
<html>
<head>
<title>401 Unauthorized</title>
</head>
<body>
<h1>Invalid Authentication</h1>
<p>
<strong>Insufficient access:  Invalid credentials</strong>
</p>
</body>
</html>

whereas the ipalib error was not that specific

myuser(a)someserver:ansible_tower $ ./ipaInventory.py --list
Traceback (most recent call last):
   File "./ipaInventory.py", line 121, in <module>
     api =3D initialize()
   File "./ipaInventory.py", line 44, in initialize
     api.finalize()
   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 740, =

in finalize
     self.__do_if_not_done('load_plugins')
   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 431, =

in __do_if_not_done
     getattr(self, name)()
   File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 619, =

in load_plugins
     for package in self.packages:
   File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 954, =

in packages
     ipaclient.remote_plugins.get_package(self),
   File =

"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", =

line 134, in get_package
     plugins =3D schema.get_package(server_info, client)
   File =

"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", =

line 553, in get_package
     schema =3D Schema(client)
   File =

"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", =

line 401, in __init__
     fingerprint, ttl =3D self._fetch(client, ignore_cache=3Dread_failed)
   File =

"/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", =

line 413, in _fetch
     client.connect(verbose=3DFalse)
   File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 69, =

in connect
     conn =3D self.create_connection(*args, **kw)
   File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1115, in =

create_connection
     error=3D', '.join(urls))
ipalib.errors.NetworkError: cannot connect to 'any of the configured =

servers': https://ipa07.linux.mydomain.at/ipa/session/json, ...
--===============8792553129085368297==--

From ronaldw at ronzo.at Tue Nov 30 10:34:52 2021
Content-Type: multipart/mixed; boundary="===============4140961699772139977=="
MIME-Version: 1.0
From: Ronald Wimmer <ronaldw at ronzo.at>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Python ipalib
Date: Tue, 30 Nov 2021 11:33:49 +0100
Message-ID: <1148d02d-9b44-db03-95a4-257cbc3945df@ronzo.at>
In-Reply-To: 664641a6-7b3d-d748-c8b0-00a0b9483a19@ronzo.at

--===============4140961699772139977==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On 30.11.21 11:27, Ronald Wimmer via FreeIPA-users wrote:
> What I dislike is that the output of a very simple curl command told me =

> that there was a problem with insufficient access:
> =

> curl --negotiate https://ipa07.linux.mydomain.at/ipa/session/json
> <html>
> <head>
> <title>401 Unauthorized</title>
> </head>
> <body>
> <h1>Invalid Authentication</h1>
> <p>
> <strong>Insufficient access:=C2=A0 Invalid credentials</strong>
> </p>
> </body>
> </html>
> =

> whereas the ipalib error was not that specific
> =

> myuser(a)someserver:ansible_tower $ ./ipaInventory.py --list
> Traceback (most recent call last):
>  =C2=A0 File "./ipaInventory.py", line 121, in <module>
>  =C2=A0=C2=A0=C2=A0 api =3D initialize()
>  =C2=A0 File "./ipaInventory.py", line 44, in initialize
>  =C2=A0=C2=A0=C2=A0 api.finalize()
>  =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line =
740, =

> in finalize
>  =C2=A0=C2=A0=C2=A0 self.__do_if_not_done('load_plugins')
>  =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line =
431, =

> in __do_if_not_done
>  =C2=A0=C2=A0=C2=A0 getattr(self, name)()
>  =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line =
619, =

> in load_plugins
>  =C2=A0=C2=A0=C2=A0 for package in self.packages:
>  =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line =
954, =

> in packages
>  =C2=A0=C2=A0=C2=A0 ipaclient.remote_plugins.get_package(self),
>  =C2=A0 File =

> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", =

> line 134, in get_package
>  =C2=A0=C2=A0=C2=A0 plugins =3D schema.get_package(server_info, client)
>  =C2=A0 File =

> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", =

> line 553, in get_package
>  =C2=A0=C2=A0=C2=A0 schema =3D Schema(client)
>  =C2=A0 File =

> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", =

> line 401, in __init__
>  =C2=A0=C2=A0=C2=A0 fingerprint, ttl =3D self._fetch(client, ignore_cache=
=3Dread_failed)
>  =C2=A0 File =

> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", =

> line 413, in _fetch
>  =C2=A0=C2=A0=C2=A0 client.connect(verbose=3DFalse)
>  =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 6=
9, =

> in connect
>  =C2=A0=C2=A0=C2=A0 conn =3D self.create_connection(*args, **kw)
>  =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1115,=
 in =

> create_connection
>  =C2=A0=C2=A0=C2=A0 error=3D', '.join(urls))
> ipalib.errors.NetworkError: cannot connect to 'any of the configured =

> servers': https://ipa07.linux.mydomain.at/ipa/session/json, ...

When using ipalib do I always have to use Kerberos or is it possible to =

specify a username/password combination as well?

This is the script I was using above: =

https://github.com/ansible/ansible/blob/stable-2.9/contrib/inventory/freeip=
a.py =

It works perfectly fine when using an IPA user that has Kerberos =

credentials.

--===============4140961699772139977==--

From abokovoy at redhat.com Tue Nov 30 11:52:26 2021
Content-Type: multipart/mixed; boundary="===============0880164784369005251=="
MIME-Version: 1.0
From: Alexander Bokovoy <abokovoy at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Python ipalib
Date: Tue, 30 Nov 2021 13:52:03 +0200
Message-ID: <YaYQY/HhNzNVksG7@redhat.com>
In-Reply-To: 1148d02d-9b44-db03-95a4-257cbc3945df@ronzo.at

--===============0880164784369005251==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On ti, 30 marras 2021, Ronald Wimmer via FreeIPA-users wrote:
>On 30.11.21 11:27, Ronald Wimmer via FreeIPA-users wrote:
>>What I dislike is that the output of a very simple curl command told =

>>me that there was a problem with insufficient access:
>>
>>curl --negotiate https://ipa07.linux.mydomain.at/ipa/session/json
>><html>
>><head>
>><title>401 Unauthorized</title>
>></head>
>><body>
>><h1>Invalid Authentication</h1>
>><p>
>><strong>Insufficient access:=C2=A0 Invalid credentials</strong>
>></p>
>></body>
>></html>
>>
>>whereas the ipalib error was not that specific
>>
>>myuser(a)someserver:ansible_tower $ ./ipaInventory.py --list
>>Traceback (most recent call last):
>> =C2=A0 File "./ipaInventory.py", line 121, in <module>
>> =C2=A0=C2=A0=C2=A0 api =3D initialize()
>> =C2=A0 File "./ipaInventory.py", line 44, in initialize
>> =C2=A0=C2=A0=C2=A0 api.finalize()
>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line =

>>740, in finalize
>> =C2=A0=C2=A0=C2=A0 self.__do_if_not_done('load_plugins')
>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line =

>>431, in __do_if_not_done
>> =C2=A0=C2=A0=C2=A0 getattr(self, name)()
>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line =

>>619, in load_plugins
>> =C2=A0=C2=A0=C2=A0 for package in self.packages:
>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line =

>>954, in packages
>> =C2=A0=C2=A0=C2=A0 ipaclient.remote_plugins.get_package(self),
>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/_=
_init__.py", =

>>line 134, in get_package
>> =C2=A0=C2=A0=C2=A0 plugins =3D schema.get_package(server_info, client)
>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/s=
chema.py", =

>>line 553, in get_package
>> =C2=A0=C2=A0=C2=A0 schema =3D Schema(client)
>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/s=
chema.py", =

>>line 401, in __init__
>> =C2=A0=C2=A0=C2=A0 fingerprint, ttl =3D self._fetch(client, ignore_cache=
=3Dread_failed)
>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/s=
chema.py", =

>>line 413, in _fetch
>> =C2=A0=C2=A0=C2=A0 client.connect(verbose=3DFalse)
>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line =

>>69, in connect
>> =C2=A0=C2=A0=C2=A0 conn =3D self.create_connection(*args, **kw)
>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1115, =

>>in create_connection
>> =C2=A0=C2=A0=C2=A0 error=3D', '.join(urls))
>>ipalib.errors.NetworkError: cannot connect to 'any of the configured =

>>servers': https://ipa07.linux.mydomain.at/ipa/session/json, ...
>
>When using ipalib do I always have to use Kerberos or is it possible =

>to specify a username/password combination as well?
Yes, you always have to present a valid Kebreros ticket right now.

If you have a keytab, you can obtain a ticket automatically if you'd set =

KRB5_CLIENT_KTNAME: https://web.mit.edu/kerberos/krb5-latest/doc/basic/keyt=
ab_def.html


-- =

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--===============0880164784369005251==--

From ronaldw at ronzo.at Tue Nov 30 13:28:25 2021
Content-Type: multipart/mixed; boundary="===============4706448260459753887=="
MIME-Version: 1.0
From: Ronald Wimmer <ronaldw at ronzo.at>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Python ipalib
Date: Tue, 30 Nov 2021 14:27:18 +0100
Message-ID: <a5512f92-8f4a-a00d-2690-1f6cef1c5f7f@ronzo.at>
In-Reply-To: YaYQY/HhNzNVksG7@redhat.com

--===============4706448260459753887==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On 30.11.21 12:52, Alexander Bokovoy via FreeIPA-users wrote:
> On ti, 30 marras 2021, Ronald Wimmer via FreeIPA-users wrote:
>> On 30.11.21 11:27, Ronald Wimmer via FreeIPA-users wrote:
>>> What I dislike is that the output of a very simple curl command told =

>>> me that there was a problem with insufficient access:
>>>
>>> curl --negotiate https://ipa07.linux.mydomain.at/ipa/session/json
>>> <html>
>>> <head>
>>> <title>401 Unauthorized</title>
>>> </head>
>>> <body>
>>> <h1>Invalid Authentication</h1>
>>> <p>
>>> <strong>Insufficient access:=C2=A0 Invalid credentials</strong>
>>> </p>
>>> </body>
>>> </html>
>>>
>>> whereas the ipalib error was not that specific
>>>
>>> myuser(a)someserver:ansible_tower $ ./ipaInventory.py --list
>>> Traceback (most recent call last):
>>> =C2=A0 File "./ipaInventory.py", line 121, in <module>
>>> =C2=A0=C2=A0=C2=A0 api =3D initialize()
>>> =C2=A0 File "./ipaInventory.py", line 44, in initialize
>>> =C2=A0=C2=A0=C2=A0 api.finalize()
>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line =

>>> 740, in finalize
>>> =C2=A0=C2=A0=C2=A0 self.__do_if_not_done('load_plugins')
>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line =

>>> 431, in __do_if_not_done
>>> =C2=A0=C2=A0=C2=A0 getattr(self, name)()
>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line =

>>> 619, in load_plugins
>>> =C2=A0=C2=A0=C2=A0 for package in self.packages:
>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line =

>>> 954, in packages
>>> =C2=A0=C2=A0=C2=A0 ipaclient.remote_plugins.get_package(self),
>>> =C2=A0 File =

>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py"=
, =

>>> line 134, in get_package
>>> =C2=A0=C2=A0=C2=A0 plugins =3D schema.get_package(server_info, client)
>>> =C2=A0 File =

>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", =
line =

>>> 553, in get_package
>>> =C2=A0=C2=A0=C2=A0 schema =3D Schema(client)
>>> =C2=A0 File =

>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", =
line =

>>> 401, in __init__
>>> =C2=A0=C2=A0=C2=A0 fingerprint, ttl =3D self._fetch(client, ignore_cach=
e=3Dread_failed)
>>> =C2=A0 File =

>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", =
line =

>>> 413, in _fetch
>>> =C2=A0=C2=A0=C2=A0 client.connect(verbose=3DFalse)
>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line =
69, =

>>> in connect
>>> =C2=A0=C2=A0=C2=A0 conn =3D self.create_connection(*args, **kw)
>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 1115=
, =

>>> in create_connection
>>> =C2=A0=C2=A0=C2=A0 error=3D', '.join(urls))
>>> ipalib.errors.NetworkError: cannot connect to 'any of the configured =

>>> servers': https://ipa07.linux.mydomain.at/ipa/session/json, ...
>>
>> When using ipalib do I always have to use Kerberos or is it possible =

>> to specify a username/password combination as well?
> Yes, you always have to present a valid Kebreros ticket right now.
> =

> If you have a keytab, you can obtain a ticket automatically if you'd set =

> KRB5_CLIENT_KTNAME: =

> https://web.mit.edu/kerberos/krb5-latest/doc/basic/keytab_def.html
> =


You mean I need a keytab for the user running the script? So this should =

work, right:

ipa-getkeytab -s ipa07.mydomain.oebb.at -p someipauser(a)LINUX.OEBB.AT -P =

-k ./someipauser.keytab
export KRB5_CLIENT_KTNAME /some/path/to/someipauser.keytab
kdestroy
ipa host-find


--===============4706448260459753887==--

From ronaldw at ronzo.at Tue Nov 30 13:43:59 2021
Content-Type: multipart/mixed; boundary="===============9021193782988238846=="
MIME-Version: 1.0
From: Ronald Wimmer <ronaldw at ronzo.at>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Python ipalib
Date: Tue, 30 Nov 2021 14:42:55 +0100
Message-ID: <dd9d5dd1-a46b-b8df-3f49-a725cc43d164@ronzo.at>
In-Reply-To: a5512f92-8f4a-a00d-2690-1f6cef1c5f7f@ronzo.at

--===============9021193782988238846==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On 30.11.21 14:27, Ronald Wimmer via FreeIPA-users wrote:
> On 30.11.21 12:52, Alexander Bokovoy via FreeIPA-users wrote:
>> On ti, 30 marras 2021, Ronald Wimmer via FreeIPA-users wrote:
>>> On 30.11.21 11:27, Ronald Wimmer via FreeIPA-users wrote:
>>>> What I dislike is that the output of a very simple curl command told =

>>>> me that there was a problem with insufficient access:
>>>>
>>>> curl --negotiate https://ipa07.linux.mydomain.at/ipa/session/json
>>>> <html>
>>>> <head>
>>>> <title>401 Unauthorized</title>
>>>> </head>
>>>> <body>
>>>> <h1>Invalid Authentication</h1>
>>>> <p>
>>>> <strong>Insufficient access:=C2=A0 Invalid credentials</strong>
>>>> </p>
>>>> </body>
>>>> </html>
>>>>
>>>> whereas the ipalib error was not that specific
>>>>
>>>> myuser(a)someserver:ansible_tower $ ./ipaInventory.py --list
>>>> Traceback (most recent call last):
>>>> =C2=A0 File "./ipaInventory.py", line 121, in <module>
>>>> =C2=A0=C2=A0=C2=A0 api =3D initialize()
>>>> =C2=A0 File "./ipaInventory.py", line 44, in initialize
>>>> =C2=A0=C2=A0=C2=A0 api.finalize()
>>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", lin=
e =

>>>> 740, in finalize
>>>> =C2=A0=C2=A0=C2=A0 self.__do_if_not_done('load_plugins')
>>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", lin=
e =

>>>> 431, in __do_if_not_done
>>>> =C2=A0=C2=A0=C2=A0 getattr(self, name)()
>>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", lin=
e =

>>>> 619, in load_plugins
>>>> =C2=A0=C2=A0=C2=A0 for package in self.packages:
>>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", lin=
e =

>>>> 954, in packages
>>>> =C2=A0=C2=A0=C2=A0 ipaclient.remote_plugins.get_package(self),
>>>> =C2=A0 File =

>>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py=
", =

>>>> line 134, in get_package
>>>> =C2=A0=C2=A0=C2=A0 plugins =3D schema.get_package(server_info, client)
>>>> =C2=A0 File =

>>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", =

>>>> line 553, in get_package
>>>> =C2=A0=C2=A0=C2=A0 schema =3D Schema(client)
>>>> =C2=A0 File =

>>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", =

>>>> line 401, in __init__
>>>> =C2=A0=C2=A0=C2=A0 fingerprint, ttl =3D self._fetch(client, ignore_cac=
he=3Dread_failed)
>>>> =C2=A0 File =

>>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", =

>>>> line 413, in _fetch
>>>> =C2=A0=C2=A0=C2=A0 client.connect(verbose=3DFalse)
>>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line =

>>>> 69, in connect
>>>> =C2=A0=C2=A0=C2=A0 conn =3D self.create_connection(*args, **kw)
>>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 111=
5, =

>>>> in create_connection
>>>> =C2=A0=C2=A0=C2=A0 error=3D', '.join(urls))
>>>> ipalib.errors.NetworkError: cannot connect to 'any of the configured =

>>>> servers': https://ipa07.linux.mydomain.at/ipa/session/json, ...
>>>
>>> When using ipalib do I always have to use Kerberos or is it possible =

>>> to specify a username/password combination as well?
>> Yes, you always have to present a valid Kebreros ticket right now.
>>
>> If you have a keytab, you can obtain a ticket automatically if you'd =

>> set KRB5_CLIENT_KTNAME: =

>> https://web.mit.edu/kerberos/krb5-latest/doc/basic/keytab_def.html
>>
> =

> You mean I need a keytab for the user running the script? So this should =

> work, right:
> =

> ipa-getkeytab -s ipa07.mydomain.oebb.at -p someipauser(a)LINUX.OEBB.AT -P =

> -k ./someipauser.keytab
> export KRB5_CLIENT_KTNAME /some/path/to/someipauser.keytab
> kdestroy
> ipa host-find

Maybe you do also know how to specify the user Ansible Tower runs an =

inventory script with. (I do have experience with Ansible but it is my =

first day with Tower so I am lacking a little bit of in-depth knowledge ;-)

Cheers,
Ronald
--===============9021193782988238846==--

From rcritten at redhat.com Tue Nov 30 13:44:27 2021
Content-Type: multipart/mixed; boundary="===============1568858277684442541=="
MIME-Version: 1.0
From: Rob Crittenden <rcritten at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Python ipalib
Date: Tue, 30 Nov 2021 08:44:09 -0500
Message-ID: <b758689c-aca8-81bd-77a4-730b39847107@redhat.com>
In-Reply-To: a5512f92-8f4a-a00d-2690-1f6cef1c5f7f@ronzo.at

--===============1568858277684442541==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Ronald Wimmer via FreeIPA-users wrote:
> On 30.11.21 12:52, Alexander Bokovoy via FreeIPA-users wrote:
>> On ti, 30 marras 2021, Ronald Wimmer via FreeIPA-users wrote:
>>> On 30.11.21 11:27, Ronald Wimmer via FreeIPA-users wrote:
>>>> What I dislike is that the output of a very simple curl command told
>>>> me that there was a problem with insufficient access:
>>>>
>>>> curl --negotiate https://ipa07.linux.mydomain.at/ipa/session/json
>>>> <html>
>>>> <head>
>>>> <title>401 Unauthorized</title>
>>>> </head>
>>>> <body>
>>>> <h1>Invalid Authentication</h1>
>>>> <p>
>>>> <strong>Insufficient access:=C2=A0 Invalid credentials</strong>
>>>> </p>
>>>> </body>
>>>> </html>
>>>>
>>>> whereas the ipalib error was not that specific
>>>>
>>>> myuser(a)someserver:ansible_tower $ ./ipaInventory.py --list
>>>> Traceback (most recent call last):
>>>> =C2=A0 File "./ipaInventory.py", line 121, in <module>
>>>> =C2=A0=C2=A0=C2=A0 api =3D initialize()
>>>> =C2=A0 File "./ipaInventory.py", line 44, in initialize
>>>> =C2=A0=C2=A0=C2=A0 api.finalize()
>>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line
>>>> 740, in finalize
>>>> =C2=A0=C2=A0=C2=A0 self.__do_if_not_done('load_plugins')
>>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line
>>>> 431, in __do_if_not_done
>>>> =C2=A0=C2=A0=C2=A0 getattr(self, name)()
>>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line
>>>> 619, in load_plugins
>>>> =C2=A0=C2=A0=C2=A0 for package in self.packages:
>>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line
>>>> 954, in packages
>>>> =C2=A0=C2=A0=C2=A0 ipaclient.remote_plugins.get_package(self),
>>>> =C2=A0 File
>>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py=
",
>>>> line 134, in get_package
>>>> =C2=A0=C2=A0=C2=A0 plugins =3D schema.get_package(server_info, client)
>>>> =C2=A0 File
>>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
>>>> line 553, in get_package
>>>> =C2=A0=C2=A0=C2=A0 schema =3D Schema(client)
>>>> =C2=A0 File
>>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
>>>> line 401, in __init__
>>>> =C2=A0=C2=A0=C2=A0 fingerprint, ttl =3D self._fetch(client, ignore_cac=
he=3Dread_failed)
>>>> =C2=A0 File
>>>> "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py",
>>>> line 413, in _fetch
>>>> =C2=A0=C2=A0=C2=A0 client.connect(verbose=3DFalse)
>>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line
>>>> 69, in connect
>>>> =C2=A0=C2=A0=C2=A0 conn =3D self.create_connection(*args, **kw)
>>>> =C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 111=
5,
>>>> in create_connection
>>>> =C2=A0=C2=A0=C2=A0 error=3D', '.join(urls))
>>>> ipalib.errors.NetworkError: cannot connect to 'any of the configured
>>>> servers': https://ipa07.linux.mydomain.at/ipa/session/json, ...
>>>
>>> When using ipalib do I always have to use Kerberos or is it possible
>>> to specify a username/password combination as well?
>> Yes, you always have to present a valid Kebreros ticket right now.
>>
>> If you have a keytab, you can obtain a ticket automatically if you'd
>> set KRB5_CLIENT_KTNAME:
>> https://web.mit.edu/kerberos/krb5-latest/doc/basic/keytab_def.html
>>
> =

> You mean I need a keytab for the user running the script? So this should
> work, right:
> =

> ipa-getkeytab -s ipa07.mydomain.oebb.at -p someipauser(a)LINUX.OEBB.AT -P
> -k ./someipauser.keytab
> export KRB5_CLIENT_KTNAME /some/path/to/someipauser.keytab
> kdestroy
> ipa host-find

Yes.

You can confirm this by looking at the httpd error log which should log
something like:

[Tue Nov 30 08:42:17.804267 2021] [wsgi:error] [pid 115577:tid 115850]
[remote 192.168.0.3:40836] ipa: INFO: [jsonserver_kerb]
someuser(a)EXAMPLE.TEST: host_find/1(None, version=3D'2.245'): SUCCESS

rob

rob

--===============1568858277684442541==--

From abokovoy at redhat.com Tue Nov 30 13:47:50 2021
Content-Type: multipart/mixed; boundary="===============4099472791083062705=="
MIME-Version: 1.0
From: Alexander Bokovoy <abokovoy at redhat.com>
To: freeipa-users at lists.fedorahosted.org
Subject: [Freeipa-users] Re: Python ipalib
Date: Tue, 30 Nov 2021 15:47:33 +0200
Message-ID: <YaYrdeUS3IcZMk/7@redhat.com>
In-Reply-To: a5512f92-8f4a-a00d-2690-1f6cef1c5f7f@ronzo.at

--===============4099472791083062705==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

On ti, 30 marras 2021, Ronald Wimmer via FreeIPA-users wrote:
>On 30.11.21 12:52, Alexander Bokovoy via FreeIPA-users wrote:
>>On ti, 30 marras 2021, Ronald Wimmer via FreeIPA-users wrote:
>>>On 30.11.21 11:27, Ronald Wimmer via FreeIPA-users wrote:
>>>>What I dislike is that the output of a very simple curl command =

>>>>told me that there was a problem with insufficient access:
>>>>
>>>>curl --negotiate https://ipa07.linux.mydomain.at/ipa/session/json
>>>><html>
>>>><head>
>>>><title>401 Unauthorized</title>
>>>></head>
>>>><body>
>>>><h1>Invalid Authentication</h1>
>>>><p>
>>>><strong>Insufficient access:=C2=A0 Invalid credentials</strong>
>>>></p>
>>>></body>
>>>></html>
>>>>
>>>>whereas the ipalib error was not that specific
>>>>
>>>>myuser(a)someserver:ansible_tower $ ./ipaInventory.py --list
>>>>Traceback (most recent call last):
>>>>=C2=A0 File "./ipaInventory.py", line 121, in <module>
>>>>=C2=A0=C2=A0=C2=A0 api =3D initialize()
>>>>=C2=A0 File "./ipaInventory.py", line 44, in initialize
>>>>=C2=A0=C2=A0=C2=A0 api.finalize()
>>>>=C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", =

>>>>line 740, in finalize
>>>>=C2=A0=C2=A0=C2=A0 self.__do_if_not_done('load_plugins')
>>>>=C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", =

>>>>line 431, in __do_if_not_done
>>>>=C2=A0=C2=A0=C2=A0 getattr(self, name)()
>>>>=C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", =

>>>>line 619, in load_plugins
>>>>=C2=A0=C2=A0=C2=A0 for package in self.packages:
>>>>=C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", =

>>>>line 954, in packages
>>>>=C2=A0=C2=A0=C2=A0 ipaclient.remote_plugins.get_package(self),
>>>>=C2=A0 File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/=
__init__.py", =

>>>>line 134, in get_package
>>>>=C2=A0=C2=A0=C2=A0 plugins =3D schema.get_package(server_info, client)
>>>>=C2=A0 File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/=
schema.py", =

>>>>line 553, in get_package
>>>>=C2=A0=C2=A0=C2=A0 schema =3D Schema(client)
>>>>=C2=A0 File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/=
schema.py", =

>>>>line 401, in __init__
>>>>=C2=A0=C2=A0=C2=A0 fingerprint, ttl =3D self._fetch(client, ignore_cach=
e=3Dread_failed)
>>>>=C2=A0 File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/=
schema.py", =

>>>>line 413, in _fetch
>>>>=C2=A0=C2=A0=C2=A0 client.connect(verbose=3DFalse)
>>>>=C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/backend.py", =

>>>>line 69, in connect
>>>>=C2=A0=C2=A0=C2=A0 conn =3D self.create_connection(*args, **kw)
>>>>=C2=A0 File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line =

>>>>1115, in create_connection
>>>>=C2=A0=C2=A0=C2=A0 error=3D', '.join(urls))
>>>>ipalib.errors.NetworkError: cannot connect to 'any of the =

>>>>configured servers': =

>>>>https://ipa07.linux.mydomain.at/ipa/session/json, ...
>>>
>>>When using ipalib do I always have to use Kerberos or is it =

>>>possible to specify a username/password combination as well?
>>Yes, you always have to present a valid Kebreros ticket right now.
>>
>>If you have a keytab, you can obtain a ticket automatically if you'd =

>>set KRB5_CLIENT_KTNAME: =

>>https://web.mit.edu/kerberos/krb5-latest/doc/basic/keytab_def.html
>>
>
>You mean I need a keytab for the user running the script? So this =

>should work, right:
>
>ipa-getkeytab -s ipa07.mydomain.oebb.at -p someipauser(a)LINUX.OEBB.AT =

>-P -k ./someipauser.keytab
>export KRB5_CLIENT_KTNAME /some/path/to/someipauser.keytab
>kdestroy
>ipa host-find

Yes, that would work. I think we have a ticket open to allow using
username and password too but never got to implement it. It boils down
to authenticate and store the cookie in a credentials cache like we do
already, then the rest of code would use the cookie until it expires.


-- =

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--===============4099472791083062705==--