apple / ccs-pykerberos Goto Github PK

duncan.macleod@… originally submitted this as ticket:908

• Keywords: kerberos
• Cc: johannes@…

pip-3.4 install kerberos fails due to a NameError in setup.py:

$ pip-3.4 install kerberos
Collecting kerberos
  Using cached kerberos-1.2.2.tar.gz
    Complete output from command python setup.py egg_info:
    Traceback (most recent call last):
      File "<string>", line 20, in <module>
      File "/Users/duncan/tmp/pip-build-z2tgrlen/kerberos/setup.py", line 36, in <module>
        long_description = file(joinpath(dirname(__file__), "README.rst")).read()
    NameError: name 'file' is not defined

    ----------------------------------------
    Command "python setup.py egg_info" failed with error code 1 in /Users/duncan/tmp/pip-build-z2tgrlen/kerberos

The file builtin was removed in python3, but you can use the open builtin in both python2 and python3 to achieve the same functionality.

bland@… originally submitted this as ticket:288

There is a missed keytab entry celanup here: http://trac.calendarserver.org/browser/PyKerberos/trunk/src/kerberosgss.c#L86 Expected krb5_free_keytab_entry_contents(kcontext, &entry); bellow this line.

@agx originally submitted this as ticket:275

• Cc: @agx

Hi, we currently have to branches in pykerberos: trunk (with pw changing support) and more-kerberos with basic wrap/unwarp support (enough to to handle imaps, the API is extendable). Can these please be merged since tracking both seems more work then necessary.

-- Guido

j.warburton@… originally submitted this as ticket:849

In some cases, when delegation is disabled but the user attempts to store delegated credentials, the program will crash due to attempting to dereference a null pointer as there is no null pointer check inside gss_krb5_copy_ccache. Attached is a patch to fix this and raise an exception back to python

cuidighth@… originally submitted this as ticket:815

PyKerberos (https://svn.calendarserver.org/repository/calendarserver/PyKerberos/trunk/) is not Python 3 compatible. The main code is 100% compatible, but the setup.py uses the long deprecated (since 2.6, which was released in jurassic period or so) commands module which causes problems as it does not exist anymore. Changing the import to subprocess works for 3.x, but the backwards compatibility requires some work (I have no idea what as my Python skills are unfortunately still too feeble).

I would kindly ask someone to work on a version that works for both Python 2.x and 3.x as it is used by large amounts of projects via pypi (see https://pypi.python.org/pypi/kerberos/). Those projects are sadly at this moment unable to upgrade their Python versions due a minor problem in this package. PyKerberos is used because it offers the most convenience API for interfacing with GSSAPI/Kerberos for web based services, and it has been used with basically every major Python based web development framework.

I contacted earlier Roland (mentioned as the maintainer at pypi), and he said he doesn't really maintain the package. Apparently this should be done by that CalendarServer project and/or Apple.

@agx originally submitted this as ticket:281

• Cc: @agx

without this we see:

SystemError: error return without exception set

which is not very helpful

glen@… originally submitted this as ticket:914

To give PyKerberos a fighting chance under low memory conditions we should check the value returned by malloc (and by functions that use malloc on our behalf), before attempting to access the memory and causing a possible segfault. Attached is a patch that does this - in the event malloc returns NULL it will generally cause a Python MemoryError to be raise by calling PyErr_NoMemory(), although the exact handling depends on the context.

@agx originally submitted this as ticket:214

needed to establish gssapi to e.g. cyrus or dovecot imapd.

roland@… originally submitted this as ticket:439

The version setup.py in py kerberos has 1.0 even though 1.1 was released a long time ago.

ikatrina@… originally submitted this as ticket:796

• Keywords: encryption, kerberos

Currently the PyKerberos library only supports integrity protection (signing) with authGSSClientWrap/authGSSClientUnwrap. It would be nice if confidentiality (encryption) were supported as well. And a way for the caller to check whether a buffer was encrypted when calling authGSSClientUnwrap would also be needed. This way, a caller has a way of rejecting a buffer if it was not encrypted.

Whether encryption is done when calling gss_wrap is controlled by a passed in flag. It is the third parameter passed into gss_wrap. 1 means encrypt, 0 means just sign, no encryption.

gss_unwrap will take both encrypted and only integrity protected buffers. It will set a flag indicating whether the buffer was encrypted or just integrity protected. This flag is the fifth parameter to the call. 1 means that the buffer was encrypted and 0 means the buffer was just integrity protected.

Currently PyKerberos provides no way to set the flag when calling authGSSClientWrap (it uses the value of 0 - so only integrity protection, no confidentiality) or check the flag when calling authGSSClientUnwrap (the flag is ignored).

pkropf@… originally submitted this as ticket:203

• Cc: pkropf@…

I'm running into a problem building the calendar server. When ./run -s gets to building PyKerberos, here's what happens:

Building PyKerberos...
running build
running build_ext
building 'kerberos' extension
creating build
creating build/temp.macosx-10.3-i386-2.4
creating build/temp.macosx-10.3-i386-2.4/src
/usr/bin/gcc-4.0 -fno-strict-aliasing -Wno-long-double -no-cpp-precomp -fno-common -fno-common -dynamic -DNDEBUG -g -O3 -Wall -Wstrict-prototypes -I/opt/local/Library/Frameworks/Python.framework/Versions/2.4/include/python2.4 -c src/kerberos.c -o build/temp.macosx-10.3-i386-2.4/src/kerberos.o -I/opt/local/include
In file included from src/kerberosbasic.h:20,
                 from src/kerberos.c:21:
/usr/include/gssapi/gssapi_generic.h:46: error: syntax error before ‘extern’
/usr/include/gssapi/gssapi_generic.h:47: error: syntax error before ‘extern’
/usr/include/gssapi/gssapi_generic.h:48: error: syntax error before ‘extern’
/usr/include/gssapi/gssapi_generic.h:50: error: syntax error before ‘extern’
error: command '/usr/bin/gcc-4.0' failed with exit status 1

This is on a Leopard based system.

dan@… originally submitted this as ticket:905

We are using https://github.com/requests/requests-kerberos which uses http://trac.calendarserver.org/wiki/PyKerberos

I raised an issue with requests-kerberos earlier today.

When trying to authenticate, we get an error:

015-03-31 11:08:00,166 kerberos_.py - ERROR - generate_request_header(): authGSSClientStep() failed:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/requests_kerberos/kerberos_.py", line 113, in generate_request_header
    _negotiate_value(response))
GSSError: ((' Miscellaneous failure (see text)', 851968), ('Server (krbtgt/[email protected]) unknown', -1765328377))

I suspect we do not want to use krbtgt, as shown in the "Server ... unknown" above, but rather, we want HTTP, and I do not know how to adjust that.

Ideas please?

glen@… originally submitted this as ticket:913

Changes introduced by #⁠847 to support credential delegation also introduced a crash under some circumstances when an uninitialised pointer is accessed. Attached is a patch to initialise the pointer to NULL, and to check for NULL before using the pointer.

hugh.xie@… originally submitted this as ticket:901

Please correct 1.1.2 pushed to pypi. All .h files are missing.

building 'kerberos' extension gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O3 -Wall -Wstrict-prototypes -fPIC -I/efs/dist/python/core/2.6.5/exec/include/python2.6 -c src/kerberos.c -o build/temp.linux-x86_64-2.6/src/kerberos.o -I/efs/dist/kerberos/mit/1.11.5-build001/common/include src/kerberos.c:19:27: fatal error: kerberosbasic.h: No such file or directory

#include "kerberosbasic.h"

ls src base64.c kerberosbasic.c kerberos.c kerberosgss.c kerberospw.c

@agx originally submitted this as ticket:255

• Cc: @agx

Hi, the C code in pykerberos is a wild mixture of tabs and spaces, the indentation looks weird in general. I even have a hard time to find out what's intended, otherwise I'd send a patch.

raubvogel@… originally submitted this as ticket:477

Since in ubuntu apache is run as its own user (www-data), I have a separate keytab, in /etc/apache2/krb5.keytab, which contains the HTTP principal. How can I specify the location of the keytab in pyKerberos?

hugh.xie@… originally submitted this as ticket:904

Missing base64.h and base64.c ther is a strange base64.csrc subdir in src:

tar tzvf kerberos-1.2.0.tar.gz
drwxr-xr-x wsanchez/staff    0 2015-03-26 14:38 kerberos-1.2.0/
-rw-r--r-- wsanchez/staff  837 2015-03-26 14:38 kerberos-1.2.0/PKG-INFO
-rw-r--r-- wsanchez/staff 2018 2015-03-26 14:31 kerberos-1.2.0/README.txt
-rw-r--r-- wsanchez/staff 2094 2015-03-26 14:36 kerberos-1.2.0/setup.py
drwxr-xr-x wsanchez/staff    0 2015-03-26 14:38 kerberos-1.2.0/src/
drwxr-xr-x wsanchez/staff    0 2015-03-26 14:38 kerberos-1.2.0/src/base64.csrc/
-rw-r--r-- wsanchez/staff 16930 2015-03-26 14:31 kerberos-1.2.0/src/kerberos.c
-rw-r--r-- wsanchez/staff  3963 2015-03-26 14:31 kerberos-1.2.0/src/kerberosbasic.c
-rw-r--r-- wsanchez/staff   898 2015-03-26 14:31 kerberos-1.2.0/src/kerberosbasic.h
-rw-r--r-- wsanchez/staff 24173 2015-03-26 14:31 kerberos-1.2.0/src/kerberosgss.c
-rw-r--r-- wsanchez/staff  2507 2015-03-26 14:31 kerberos-1.2.0/src/kerberosgss.h
-rw-r--r-- wsanchez/staff  4414 2015-03-26 14:31 kerberos-1.2.0/src/kerberospw.c
-rw-r--r-- wsanchez/staff   867 2015-03-26 14:31 kerberos-1.2.0/src/kerberospw.h

j.warburton@… originally submitted this as ticket:842

• Keywords: delegation, kerberos, server
• Cc: j.warburton@…

I have added the functions authGSSServerStoreDelegate() and authGSSServerCacheName() to allow kerberos to save and access forwarded tickets so that it can authenticate to other services on behalf of the client.

@agx originally submitted this as ticket:283

• Cc: @agx, jelmer@…

Attached patch makes the above function more generic by not always forcing the username into the return buffer. Mostly based on a patch from Jelmer Vernooij <jelmer@…>

@wsanchez originally submitted this as ticket:141

Current GSS client code does not handle the case where multiple realms are defined and in use on the client.

@agx originally submitted this as ticket:282

• Cc: @agx, elmer@…

Attached patch makes the above function more generic by not always forcing the username into the return buffer. Mostly based on a patch from Jelmer Vernooij <jelmer@…>

wsiegrist@… originally submitted this as ticket:435

Here is a patch that adds support to authGSSClientInit (gss_init_sec_context) for using the non-default principal. It adds a "principal" kwarg to authGSSClientInit() which gets stashed in the client state struct and used when gss_init_sec_context is called. The default behavior is unchanged.

john@… originally submitted this as ticket:924

• Cc: hugh.xie@…

Environment:

% uname -s -r
FreeBSD 10.2-STABLE
% python --version
Python 2.7.10
% /usr/local/bin/krb5-config --version
Kerberos 5 release 1.13.2
% /usr/local/bin/ktutil
ktutil:  rkt example.keytab
ktutil:  l -e
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2 example/[email protected] (aes256-cts-hmac-sha1-96)
   2    2 example/[email protected] (aes128-cts-hmac-sha1-96)
   3    2 example/[email protected] (des3-cbc-sha1)
   4    2 example/[email protected] (arcfour-hmac)

Passing test with PyKerberos r14485:

% env KRB5_KTNAME=example.keytab \
    python -c "import kerberos; result, ctx = kerberos.authGSSServerInit('example'); print(result)"
1

Failing test with PyKerberos r14486:

% env KRB5_KTNAME=example.keytab \
    python -c "import kerberos; result, ctx = kerberos.authGSSServerInit('example'); print(result)"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
kerberos.GSSError: (('Unspecified GSS failure.  Minor code may provide more information', 851968), ('No Kerberos credentials available', -1765328243))

The offending revision per #⁠862 changes the invocation of gss_acquire_cred() to pass GSS_C_NO_NAME instead of state->server_name.

I don't know how to resolve this short of rolling back the change in #⁠862.

daniel@… originally submitted this as ticket:481

The combination of these allow the creation of e.g. web interfaces that connect to other services on behalf of the user.

The delegation is to allow for services acting on behalf of the user.

Removing the previously forced base64 makes it possible to use as an authenticator in other Python modules, for instance imaplib.IMAP4.

The Pythonic API means a GSSAPI-authenticated IMAP instantiation looks like:

imap = imaplib.IMAP4('mail.example.com', 143)
imap.authenticate('GSSAPI', kerberos.GSSAPIClient('[email protected]', username='username', do_base64=False))

which IMHO looks a lot nicer than what is presently needed.

@agx originally submitted this as ticket:213

• Owner: @dreid

improves the code readability since we don't have to remember which of these is zero and one.

agx@… originally submitted this as ticket:51

• Cc: @agx

Errorhandling in pykerberos is currently very poor - especially in the gssapi case. We can only check for 0 and -1. I see two ways out of this: we modify the functions to also return the output of get_gss_error or (what I'd like better) throw an exception that has the get_gss_error output as textual represenations. Without this, the module is kind of hard to use since there are little ways to diagnose errors. Any thoughs?

dan@… originally submitted this as ticket:906

• Cc: john@…

FYI, I have submitted patches for py-requests to the FreeBSD project so that PyKerberos will work with either of:

• MIT
• Heimdal

This allows our users to choose from:

• Heimdal Kerberos distributed with FreeBSD
• MIT Kerberos distributed as a port: https://www.freshports.org/security/krb5/
• Heimdal Kerberos as a port:https://www.freshports.org/security/heimdal/

I thought you might be interested in the patches, available from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=199123

See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=199123

glen@… originally submitted this as ticket:915

Changes introduced by #⁠830 to support credential inquiry also introduced a memory leak in the event authGSSClientInquireCred is called multiple times, or when authGSSClientInquireCred is called after authGSSClientStep returns a complete response code. Attached is a patch to fix the memory leak.

The patch also finishes the work of #⁠830 by:

• Adding authGSSClientInquireCred to documentation module kerberos.py
• Updating docstring for authGSSClientUserName in kerberos.py to add details of authGSSClientInquireCred as a source of the user name.
• Updating authenticate_gss_client_inquire_cred to allocate and populate the username variable the same way as authenticate_gss_client_step.
• Updating authenticate_gss_client_inquire_cred to clean up the same way as other functions in kerberosgss.c

res@… originally submitted this as ticket:833

The python-kerberos checkPassword() method is badly insecure. It does a kinit (AS-REQ) to ask a KDC for a TGT for the given user principal, and interprets the success or failure of that as indicating whether the password is correct. It does not, however, verify that it actually spoke to a trusted KDC: an attacker may simply reply instead with an AS-REP which matches the password he just gave you.

Imagine you were verifying a password using LDAP authentication rather than Kerberos: you would, of course, use TLS in conjunction with LDAP to make sure you were talking to a real, trusted LDAP server. The same requirement applies here. kinit is not a password-verification service.

The usual way of doing this is to take the TGT you've obtained with the user's password, and then obtain a ticket for a principal for which the verifier has keys (e.g. a web server processing a username/password form login might get a ticket for its own HTTP/host@REALM principal), which it can then verify. Note that this requires that the verifier have its own Kerberos identity, which is mandated by the symmetric nature of Kerberos (whereas in the LDAP case, the use of public-key cryptography allows anonymous verification).

If this is not implemented, the documentation should at least indicate that there is no protection against KDC spoofing attacks here.

bernie.hackett@… originally submitted this as ticket:936

Both authGSSClientClean and authGSSServerClean call PyCObject_SetVoidPtr(pystate, NULL). When built for python 3.x PyCObject_SetVoidPtr is aliased as PyCapsule_SetPointer. According to The C API docs, the second parameter to PyCapsule_SetPointer cannot be NULL:

https://docs.python.org/3.1/c-api/capsule.html#PyCapsule_SetPointer

Reproduction:

Python 3.4.3 (v3.4.3:9b73f1c3e601, Feb 23 2015, 02:52:03) [GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin Type "help", "copyright", "credits" or "license" for more information.

import kerberos res, ctx = kerberos.authGSSClientInit("someservice@somehost") kerberos.authGSSClientClean(ctx)

1

res, ctx = kerberos.authGSSClientInit("someservice@somehost")

ValueError: PyCapsule_SetPointer called with null pointer

This makes PyKerberos unusable under python 3.

hugh.xie@… originally submitted this as ticket:862

• Cc: hugh.xie@…

Hello,

I have enhanced package https://pypi.python.org/pypi/kerberos to support S4U2Proxy. Here are the major changes:
gss_acquire_cred() - 2nd parameter desired_name need to be switched to GSS_C_NO_NAME; 5th parameter cred_usage to GSS_C_BOTH
gss_accept_sec_context() - 9th output parameter ret_flags must be specified instead of NULL; 11th output parameter delegated_cred_handle must be specified instead of NULL.
gss_init_sec_context() - 2nd parameter cred_handle must be passed with delegated_cred_handle from gss_accept_sec_context()

I like to know how to submit this change to the standard build.

P.S. The enhancement for S4U2Proxy can only works with MIT Krb5 lib 1.10 or later (the rest are backward compatible if not using delegation). Here is discussion with MIT team: https://www.mail-archive.com/[email protected]/msg20810.html

roland@… originally submitted this as ticket:440

Please release PyKerberos on PyPi. That way it become's easy_install-able.

@cyrusdaboo originally submitted this as ticket:39

The Kerberos/krb_err.h header file is no longer included in the Kerberos.framework on 10.5. Its not needed anyhow as it releates to Kerberos IV - but we just use Kerberos V.

rbasch@… originally submitted this as ticket:355

In PyKerberos 1.1, authenticate_gss_client_wrap() (src/kerberosgss.c) miscalculates the length of the username string when wrapping it, by including the terminating null character in the length. This results in authentication failures. I am attaching a patch that seems to fix the problem.

dpejesh@… originally submitted this as ticket:930

This patch allows setting the mech oid to SPNEGO for HTTP authentication.

Martin.vGagern@… originally submitted this as ticket:404

PyKerberos won't compile against Heimdal 1.3.3 on my Gentoo Linux system.

1. Heimdal doesn't provide a gssapi/gssapi_generic.h header file
2. The krb5_context type is declared in krb5.h
3. krb5_kt_cursor isn't a pointer, so you can't assign NULL
4. gss_krb5_nt_service_name is undefined, GSS_KRB5_NT_PRINCIPAL_NAME seems to be the heimdal replacement

Some of these, like the missing gss_krb5_nt_service_name, have been mentioned in ticket #⁠37 already, but it seems they never made it into the tree.

I'll attach a patch addressing the errors, but I assume it will break compatibility with MIT Kerberos. Don't know the best approach to cater for both. Maybe we should check some preprocessor macro. Or we could check the presence of certain header files in setup.py, and supply our own preprocessor macro from this information. Or we could investigate the list of libraries that krb5-config generates, as I believe e.g. libroken to be specific to Heimdal. Not sure, though.

Some functions used by the code are deprecated according to the Heimdal header file:

1. Use krb5_xfree instead of krb5_free_unparsed_name
2. Use krb5_get_init_creds_opt_alloc instead of krb5_get_init_creds_opt_init
3. Use krb5_set_password instead of krb5_change_password

I haven't addressed these in my patch, as they are only warnings, but perhaps you should note them for future reference. And if MIT Kerberos provides the newer functions as well, you should switch as soon as possible.

rcritten@… originally submitted this as ticket:830

GSSAPI defines the function gss_inquire_cred() to get information about existing GSS credentials. This lets one peek into the credential store without initiating communication with a server.

In the case of Kerberos this would return the principal name of the current TGT.

herron@… originally submitted this as ticket:909

When I run the "python setup.py build" command, I get the following compilation errors:

C:\python27\python setup.py build
running build
running build_ext
building 'kerberos' extension
c:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\BIN\cl.exe /c /nologo /Ox /MD /W3 /GS- /DNDEBUG -IC:\python27\incl
ude -IC:\python27\PC /Tcsrc/base64.c /Fobuild\temp.win32-2.7\Release\src/base64.obj '{' is not recognized as an internal
 or external command, operable program or batch file.
cl : Command line warning D9024 : unrecognized source file type ''{'', object file assumed
cl : Command line warning D9027 : source file ''{'' ignored
cl : Command line warning D9024 : unrecognized source file type 'is', object file assumed
cl : Command line warning D9027 : source file 'is' ignored
cl : Command line warning D9024 : unrecognized source file type 'not', object file assumed
cl : Command line warning D9027 : source file 'not' ignored
cl : Command line warning D9024 : unrecognized source file type 'recognized', object file assumed
cl : Command line warning D9027 : source file 'recognized' ignored
cl : Command line warning D9024 : unrecognized source file type 'as', object file assumed
cl : Command line warning D9027 : source file 'as' ignored
cl : Command line warning D9024 : unrecognized source file type 'an', object file assumed
cl : Command line warning D9027 : source file 'an' ignored
cl : Command line warning D9024 : unrecognized source file type 'internal', object file assumed
cl : Command line warning D9027 : source file 'internal' ignored
cl : Command line warning D9024 : unrecognized source file type 'or', object file assumed
cl : Command line warning D9027 : source file 'or' ignored
cl : Command line warning D9024 : unrecognized source file type 'external', object file assumed
cl : Command line warning D9027 : source file 'external' ignored
cl : Command line warning D9024 : unrecognized source file type 'command,', object file assumed
cl : Command line warning D9027 : source file 'command,' ignored
cl : Command line warning D9024 : unrecognized source file type 'operable', object file assumed
cl : Command line warning D9027 : source file 'operable' ignored
cl : Command line warning D9024 : unrecognized source file type 'program', object file assumed
cl : Command line warning D9027 : source file 'program' ignored
cl : Command line warning D9024 : unrecognized source file type 'or', object file assumed
cl : Command line warning D9027 : source file 'or' ignored
cl : Command line warning D9024 : unrecognized source file type 'batch', object file assumed
cl : Command line warning D9027 : source file 'batch' ignored
cl : Command line warning D9024 : unrecognized source file type 'file.', object file assumed
cl : Command line warning D9027 : source file 'file.' ignored
base64.c
src/base64.c(59) : error C2143: syntax error : missing ';' before 'type'
src/base64.c(60) : error C2065: 'oval' : undeclared identifier
src/base64.c(61) : error C2065: 'oval' : undeclared identifier
src/base64.c(78) : error C2143: syntax error : missing ';' before 'type'
src/base64.c(80) : error C2275: 'size_t' : illegal use of this type as an expression
        c:\program files (x86)\microsoft visual studio 9.0\vc\include\codeanalysis\sourceannotations.h(19) : see declara
tion of 'size_t'
src/base64.c(80) : error C2146: syntax error : missing ';' before identifier 'vlen'
src/base64.c(80) : error C2065: 'vlen' : undeclared identifier
src/base64.c(81) : error C2143: syntax error : missing ';' before 'type'
src/base64.c(82) : error C2143: syntax error : missing ';' before 'type'
src/base64.c(86) : error C2065: 'result' : undeclared identifier
src/base64.c(86) : warning C4047: 'return' : 'unsigned char *' differs in levels of indirection from 'int'
src/base64.c(88) : error C2065: 'c1' : undeclared identifier
src/base64.c(89) : error C2065: 'c1' : undeclared identifier
src/base64.c(89) : error C2065: 'c1' : undeclared identifier
src/base64.c(89) : error C2065: 'c1' : undeclared identifier
src/base64.c(92) : error C2065: 'c2' : undeclared identifier
src/base64.c(93) : error C2065: 'c2' : undeclared identifier
src/base64.c(93) : error C2065: 'c2' : undeclared identifier
src/base64.c(93) : error C2065: 'c2' : undeclared identifier
src/base64.c(96) : error C2065: 'c3' : undeclared identifier
src/base64.c(97) : error C2065: 'c3' : undeclared identifier
src/base64.c(97) : error C2065: 'c3' : undeclared identifier
src/base64.c(97) : error C2065: 'c3' : undeclared identifier
src/base64.c(97) : error C2065: 'c3' : undeclared identifier
src/base64.c(100) : error C2065: 'c4' : undeclared identifier
src/base64.c(101) : error C2065: 'c4' : undeclared identifier
src/base64.c(101) : error C2065: 'c4' : undeclared identifier
src/base64.c(101) : error C2065: 'c4' : undeclared identifier
src/base64.c(101) : error C2065: 'c4' : undeclared identifier
src/base64.c(106) : error C2065: 'out' : undeclared identifier
src/base64.c(106) : error C2100: illegal indirection
src/base64.c(106) : error C2065: 'c1' : undeclared identifier
src/base64.c(106) : error C2065: 'c1' : undeclared identifier
src/base64.c(106) : error C2065: 'c1' : undeclared identifier
src/base64.c(106) : error C2065: 'c2' : undeclared identifier
src/base64.c(106) : error C2065: 'c2' : undeclared identifier
src/base64.c(106) : error C2065: 'c2' : undeclared identifier
src/base64.c(106) : error C2106: '=' : left operand must be l-value
src/base64.c(109) : error C2065: 'c3' : undeclared identifier
src/base64.c(110) : error C2065: 'out' : undeclared identifier
src/base64.c(110) : error C2100: illegal indirection
src/base64.c(110) : error C2065: 'c2' : undeclared identifier
src/base64.c(110) : error C2065: 'c2' : undeclared identifier
src/base64.c(110) : error C2065: 'c2' : undeclared identifier
src/base64.c(110) : error C2065: 'c3' : undeclared identifier
src/base64.c(110) : error C2065: 'c3' : undeclared identifier
src/base64.c(110) : error C2065: 'c3' : undeclared identifier
src/base64.c(110) : error C2106: '=' : left operand must be l-value
src/base64.c(113) : error C2065: 'c4' : undeclared identifier
src/base64.c(114) : error C2065: 'out' : undeclared identifier
src/base64.c(114) : error C2100: illegal indirection
src/base64.c(114) : error C2065: 'c3' : undeclared identifier
src/base64.c(114) : error C2065: 'c3' : undeclared identifier
src/base64.c(114) : error C2065: 'c3' : undeclared identifier
src/base64.c(114) : error C2065: 'c4' : undeclared identifier
src/base64.c(114) : error C2065: 'c4' : undeclared identifier
src/base64.c(114) : error C2065: 'c4' : undeclared identifier
src/base64.c(114) : error C2106: '=' : left operand must be l-value
src/base64.c(121) : error C2065: 'result' : undeclared identifier
src/base64.c(121) : error C2100: illegal indirection
src/base64.c(124) : error C2065: 'result' : undeclared identifier
src/base64.c(124) : warning C4047: 'return' : 'unsigned char *' differs in levels of indirection from 'int'
error: command '"c:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\BIN\cl.exe"' failed with exit status 2

ssorce@… originally submitted this as ticket:311

• Cc: ssorce@…

We use PyKerberos in the FreeIPA project. Up to version one we carried a patch to set the delegate flag by default. With version 1.1 of PyKerberos I added a few flags to the init function so that it is easy to control the flags without patching the code. The code is backwards compatible as it adds a default argument to the function that is set to the previous defaults.

It would be nice if you would consider including this patch in the upstream distribution.

message.adams@… originally submitted this as ticket:847

Important functionality currently missing from PyKerberos, is the ability for a middle tier server to reuse the client's credentials to authenticate against another server (credential delegation).

ticket #⁠481 (submitted by Daniel) kindly added a patch for this, but the patch also contained a number of other changes which may prevent the delegation work from being committed to trunk. This ticket contains just the delegation work submitted by Daniel, which I hope will expedite these changes into trunk - as I feel this is very valuable functionality.

tylerlhobbs@… originally submitted this as ticket:792

The attached patch adds debian package metadata. To build a package, simply run 'dpkg-buildpackage'.

hugh.xie@… originally submitted this as ticket:900

Successfully tested kerberos delegation on trunk (v1.1.2, ticket 862). Please push this version to PyPI. Thanks.

alex@… originally submitted this as ticket:798

• Keywords: python3k
• Cc: alectolytic@…, mcepl@…

This patch introduces Python 3 support, while maintaining support for Python 2.6. I've attempted to do this in a low-impact way where possible.

./src/kerberos.c is altered with preprocessor statements to substitute or translate the existing API calls to their Python 3 equivalents when required. When building against Python 2, the code should be effectively the same.

./setup.py is altered to import the getoutput function from the version specific library. Also, the Python 3 classifier is added to the classifiers list.

./test.py is altered to import HTTPSConnection and HTTPConnection from the version specific library. Print statements are altered to be Python 3 and Python 2.6 compatible. Additionally, the as keyword replaces the comma in exception handling (this is also Python 2.6 compatible).

To build the package against Python 3 call:

    python3 setup.py build

i.e. use the regular build command, but substitute python3 for python (or python3 for python2 depending on the platform).

I've tested test.py's "basic" mode with Python 3.3 and Python 2.7, and it appears to work normally.

The patch is signed with the key alex <at> szc.ca - 4096R/645DAFC3

dcallagh@… originally submitted this as ticket:942

In r13269 the argument parsing for authGSSClientInit was (accidentally?) changed to no longer accept None for the principal argument.

This breaks the requests-kerberos module: requests/requests-kerberos#76

Fix is trivial, change s back to z in the argument format string.

tylerlhobbs@… originally submitted this as ticket:791

The attached patch makes it easy to build an RPM package by running 'make -f redhat/makefile'.

tylerlhobbs@… originally submitted this as ticket:513

These operations can take a long time to complete, and they currently hold the GIL, making the library unsuitable for multithreaded use.

tylerlhobbs@… originally submitted this as ticket:512

The principal argument is supposed to have a default value of None, but the format string for this function uses 's', which does not allow for a None value.

agx@… originally submitted this as ticket:67

• Cc: @agx

Hi,

the test has hardcode values in testCheckpassword. Introducing one more commandline options fixes this (see attached patch). Please apply.

Cheers,

-- Guido

@agx originally submitted this as ticket:256

• Cc: @agx

Hi, attached Patch adds password changing to pykerberos. Some of the code overlaps with kerberosbasic.c but that can easily be cleaned up at later once the formatting issues are solved. Please apply to the more-kerberos branch.

agx@… originally submitted this as ticket:37

• Keywords: review

Hi, attached is a bunch of patches that adds support for linux/heimdal. They might not be as clean as possible but should show fairly well what to do. Please apply as approprioate. The patch order is:

• printf-cleanups: generic cleanups
• include-stdlib: include stdlib for definition of free(3)
• kerberos-includes: fixup kerberos includes for non macosx
• declare-nt-service: gss_krb5_nt_service_name is declared differently in heimdal
• python-include: include "python.h"
• fix-setup: detect "linux2" and pass correct linker flags

Cheers,

-- Guido