On to, 13 helmi 2020, White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote:
That was it.
Moving forward.
Again, many thanks.
I suspect FreeIPA/RH-IdM 4.7.x will not be released to CentOS/RHEL 7, right ?
While RHEL 7 is currently at Maintenance Support 2 Phase which doesn't
allow Software Enhancements
(
https://access.redhat.com/support/policy/updates/errata#Details),
FreeIPA 4.7 also has other dependencies that prevent it from being
shipped in RHEL 7 because of ABI changes required to packages that
cannot change ABI in RHEL 7. That and move to Python 3 which started
with FreeIPA 4.7.0.
______________________________________________________________________________________________
Daniel E. White
daniel.e.white@nasa.gov<mailto:daniel.e.white@nasa.gov>
NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290
From: Alexander Bokovoy <abokovoy(a)redhat.com>
Date: Thursday, February 13, 2020 at 14:14
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Rob Crittenden <rcritten(a)redhat.com>, Daniel White
<daniel.e.white(a)nasa.gov>
Subject: [EXTERNAL] Re: [Freeipa-users] Python-ing into FreeIPA - hit a glitch
On to, 13 helmi 2020, White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote:
Alexander,
I followed your instructions and ran into a problem.
These commands went as described:
$ ipa service-add api-requester/`hostname`
$ ipa service-allow-retrieve-keytab api-requester/`hostname` --users=me
$ ipa service-allow-create-keytab api-requester/`hostname` --users=me
$ ipa-getkeytab -Y GSSAPI -k api-requester.keytab -p api-requester/`me`
$ KRB5_CLIENT_KTNAME=./api-requester.keytab KRB5CCNAME=./api.ccache ipa console
(Custom IPA interactive Python console)
api: IPA API object
pp: pretty printer
api.Command.whoami()
{'object': 'service', 'command': 'service_show/1',
'arguments':
('api-requester/some-host.example.com@EXAMPLE.COM<mailto:api-requester/some-host.example.com@EXAMPLE.COM>',)}
HOWEVER, when I tried this:
api.Command.service_show('api-requester/some-host.example.com@EXAMPLE.COM<mailto:api-requester/some-host.example.com@EXAMPLE.COM>')
I got this error:
Traceback (most recent call last):
File "<console>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in
__call__
return self.__do_call(*args, **options)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 471, in
__do_call
params = self.convert(**params)
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 672, in
convert
(k, self.params[k].convert(v)) for (k, v) in kw.items()
File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 672, in
<genexpr>
(k, self.params[k].convert(v)) for (k, v) in kw.items()
File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 852, in
convert
return convert(value)
File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 839, in
convert
return self._convert_scalar(value)
File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 2152, in
_convert_scalar
return super(Principal, self)._convert_scalar(value)
File "/usr/lib/python2.7/site-packages/ipalib/parameters.py", line 862, in
_convert_scalar
raise ConversionError(name=self.name, error=ugettext(self.type_error))
ConversionError: invalid 'krbcanonicalname': must be Kerberos principal
The argument I used in the "service_show" is identical to the argument returned
from the "whoami" command.
What is even stranger, If I exit the console and try :
api.Command.ipa service-show
api-requester/some-host.example.com@EXAMPLE.COM<mailto:api-requester/some-host.example.com@EXAMPLE.COM>
I get the expected response.
I ran this on a CentOS 7 IPA client v4.6.5-11.el7.centos.3.x86_64
The server is RHEL 7, IPA/RH-IdM server v4.6.5-11.el7_7.3.x86_64
Any ideas ?
Can you try u'api-requester/...' as an argument to service_show(..)?
Python 3 treats strings as unicode by default, Python 2 needs u'...'.
When you run ipa CLI commands, we do Unicode transformation ourselves,
but inside Python console it is your duty.
BTW, note that services as members of group will not work in FreeIPA
before 4.7, so you need Fedora or RHEL 8.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland