How to use the gssapi.exceptions.GSSError function in gssapi
To help you get started, we’ve selected a few gssapi examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
freeipa / freeipa / ipatests / test_cmdline / test_ipagetkeytab.py View on Github 
def use_keytab(principal, keytab):
with private_ccache() as ccache_file:
try:
old_principal = getattr(context, 'principal', None)
name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
store = {'ccache': ccache_file,
'client_keytab': keytab}
gssapi.Credentials(name=name, usage='initiate', store=store)
conn = ldap2(api)
conn.connect(ccache=ccache_file,
autobind=ipaldap.AUTOBIND_DISABLED)
yield conn
conn.disconnect()
except gssapi.exceptions.GSSError as e:
raise Exception('Unable to bind to LDAP. Error initializing '
'principal %s in %s: %s' % (principal, keytab,
str(e)))
finally:
setattr(context, 'principal', old_principal)# Check if the IPA server is configured before attempting to migrate
try:
installutils.check_server_configuration()
except admintool.ScriptError as e:
sys.exit(e)
# Finalize API
api.bootstrap(in_server=True, context='server', confdir=paths.ETC_IPA)
api.finalize()
# Setup LDAP connection
try:
api.Backend.ldap2.connect()
cls.ldap = api.Backend.ldap2
except gssapi.exceptions.GSSError as e:
sys.exit("Must have Kerberos credentials to migrate Winsync users. Error: %s" % e)
except errors.ACIError as e:
sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket.")
except errors.DatabaseError as e:
sys.exit("Cannot connect to the LDAP database. Please check if IPA is running.")
super(WinsyncMigrate, cls).main(argv)logger.debug('Using fixed server %s', server)
else:
print("IPA server: DNS discovery")
logger.debug('Configuring to use DNS discovery')
print("Location: %s" % options.location)
logger.debug('Using automount location %s', options.location)
ccache_dir = tempfile.mkdtemp()
ccache_name = os.path.join(ccache_dir, 'ccache')
try:
try:
host_princ = str('host/%s@%s' % (api.env.host, api.env.realm))
kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_name)
os.environ['KRB5CCNAME'] = ccache_name
except gssapi.exceptions.GSSError as e:
sys.exit("Failed to obtain host TGT: %s" % e)
# Finalize API when TGT obtained using host keytab exists
api.finalize()
# Now we have a TGT, connect to IPA
try:
api.Backend.rpcclient.connect()
except errors.KerberosError as e:
sys.exit('Cannot connect to the server due to ' + str(e))
try:
# Use the RPC directly so older servers are supported
api.Backend.rpcclient.forward(
'automountlocation_show',
ipautil.fsdecode(options.location),
version=u'2.0',def conn(self):
"""Lazily load and return the raw connection from threadlocals.
Connect to the LDAP server specified in settings and bind using
the GSSAPI protocol. The requisite KRB5CCNAME environmental
variable should have already been set by the SetKerberosCache
middleware.
"""
ldap_exceptions = (LDAPExceptionError, LDAPSocketOpenError)
if 'gssapi' in sys.modules:
ldap_exceptions += (gssapi.exceptions.GSSError,)
if "KRB5CCNAME" in os.environ:
logger.info("KRB5CCNAME: {}".format(os.environ["KRB5CCNAME"]))
else:
logger.info("KRB5CCNAME not in environ")
if not hasattr(_thread_locals, "ldap_conn") or _thread_locals.ldap_conn is None:
logger.info("Connecting to LDAP...")
server = ldap3.Server(settings.LDAP_SERVER)
if settings.USE_SASL:
try:
_thread_locals.ldap_conn = ldap3.Connection(server, authentication=ldap3.SASL, sasl_mechanism='GSSAPI')
_thread_locals.ldap_conn.bind()
_thread_locals.simple_bind = False
logger.info("Successfully connected to LDAP.")
except ldap_exceptions as e:if len(unwrapped_token.message) != 4:
raise LDAPCommunicationError("Incorrect response from server")
server_security_layers = unwrapped_token.message[0]
if not isinstance(server_security_layers, int):
server_security_layers = ord(server_security_layers)
if server_security_layers in (0, NO_SECURITY_LAYER):
if unwrapped_token.message[1:] != '\x00\x00\x00':
raise LDAPCommunicationError("Server max buffer size must be 0 if no security layer")
if not (server_security_layers & NO_SECURITY_LAYER):
raise LDAPCommunicationError("Server requires a security layer, but this is not implemented")
client_security_layers = bytearray([NO_SECURITY_LAYER, 0, 0, 0])
out_token = ctx.wrap(bytes(client_security_layers)+authz_id, False)
return send_sasl_negotiation(connection, controls, out_token.message)
except (gssapi.exceptions.GSSError, LDAPCommunicationError):
abort_sasl_negotiation(connection, controls)
raise# confidentiality support.
response = self.gss_vc.unwrap(token)
# This is a behavior we got from pykerberos. First byte is one,
# first four bytes are preserved (pykerberos calls this a length).
# Any additional bytes are username.
reply = []
reply[0:4] = response.message[0:4]
reply[0] = '\x01'
if self.username:
reply[5:] = self.username
reply = ''.join(reply)
response = self.gss_vc.wrap(reply, response.encrypted)
return response.message if response.message else ""
except gssapi.exceptions.GSSError as err:
# GSSAPI errored out on us; respond with None to cancel the
# authentication
self.ui.debug('imap', err.gen_message())
return Nonedef check(self):
ccache_dir = tempfile.mkdtemp()
ccache_name = os.path.join(ccache_dir, 'ccache')
try:
try:
host_princ = str('host/%s@%s' % (api.env.host, api.env.realm))
kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_name)
except gssapi.exceptions.GSSError as e:
yield Result(self, constants.ERROR,
msg='Failed to obtain host TGT: %s' % e)
finally:
ipautil.remove_file(ccache_name)
os.rmdir(ccache_dir)def run(self):
api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
api.finalize()
try:
api.Backend.ldap2.connect(ccache=os.environ.get('KRB5CCNAME'),
autobind=AUTOBIND_DISABLED)
except (gssapi.exceptions.GSSError, errors.ACIError):
raise admintool.ScriptError("Unable to connect to LDAP! Did you kinit?")
try:
# Parse tokens
for keypkg in self.doc.getKeyPackages():
try:
api.Command.otptoken_add(keypkg.id, no_qrcode=True, **keypkg.options)
except Exception as e:
logger.warning("Error adding token: %s", e)
else:
logger.info("Added token: %s", keypkg.id)
keypkg.remove()
finally:
api.Backend.ldap2.disconnect()
# Write out the XML file without the tokens that succeeded."supported, try to use Kerberos explicitly and fallback "
"to NTLM with ntlm-auth if that fails")
# we can't rely on SPNEGO in GSSAPI as NTLM is not available, try
# and initialise a kerb context and get the first token. If that
# fails, fallback to NTLM with ntlm-auth
try:
log.debug("Attempting to use GSSAPI Kerberos as auth backend")
context = GSSAPIContext(username, password, "kerberos",
cbt_app_data, hostname, service,
delegate, wrap_required)
context.init_context()
context_gen = context.step()
out_token = next(context_gen)
log.debug("GSSAPI with mech kerberos is being used as the "
"auth backend")
except gssapi.exceptions.GSSError as err:
log.warning("Failed to initialise a GSSAPI context, failling "
"back to NTLM: %s" % str(err))
context_gen = None
out_token = None
context = NTLMContext(username, password, cbt_app_data)
else:
log.debug("GSSAPI is available but does not support NTLM or "
"Kerberos with encryption, fallback to ntlm-auth")
context = NTLMContext(username, password, cbt_app_data)
else:
if auth_provider not in ["auto", "ntlm"]:
raise ValueError("The auth_provider specified '%s' cannot be used "
"without GSSAPI or SSPI being installed, select "
"auto or install GSSAPI or SSPI"
% auth_provider)
log.debug("SSPI or GSSAPI is not available, using ntlm-auth as the "def verify(self, data, sig):
"""Verify a signature for a block of data"""
try:
self._ctx.verify_signature(data, sig)
return True
except GSSError:
return False
Popular gssapi functions
- gssapi._utils._get_encoding
- gssapi._utils.import_gssapi_extension
- gssapi.Credentials
- gssapi.creds.Credentials
- gssapi.exceptions
- gssapi.exceptions.ExpiredCredentialsError
- gssapi.exceptions.GSSError
- gssapi.InitContext
- gssapi.Name
- gssapi.names
- gssapi.names.Name
- gssapi.NameType
- gssapi.NameType.hostbased_service
- gssapi.NameType.kerberos_principal
- gssapi.OID.from_int_seq
- gssapi.raw
- gssapi.raw.acquire_cred_with_password
- gssapi.RequirementFlag
- gssapi.sec_contexts.SecurityContext
- gssapi.SecurityContext