This was a response to a post of mine in 2010. The comment was unformatted in the response, and I wanted to get it readable. Its a great example of making a Kerberized web call.
Courtesy of Rich Megginson
Note: requires MIT kerberos 1.11 or later if you want to skip doing the kinit, and just let the script do the kinit implicitly with the keytab.
import kerberos import sys import os from requests.auth import AuthBase import requests import json class IPAAuth(AuthBase): def __init__(self, hostname, keytab): self.hostname = hostname self.keytab = keytab self.token = None self.refresh_auth() def __call__(self, request): if not self.token: self.refresh_auth() request.headers['Authorization'] = 'negotiate ' + self.token return request def refresh_auth(self): if self.keytab: os.environ['KRB5_CLIENT_KTNAME'] = self.keytab else: LOG.warn('No IPA client kerberos keytab file given') service = "HTTP@" + self.hostname flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG try: (_, vc) = kerberos.authGSSClientInit(service, flags) except kerberos.GSSError, e: LOG.error("caught kerberos exception %r" % e) raise e try: kerberos.authGSSClientStep(vc, "") except kerberos.GSSError, e: LOG.error("caught kerberos exception %r" % e) raise e self.token = kerberos.authGSSClientResponse(vc) hostname, url, keytab, cacert = sys.argv[1:] request = requests.Session() request.auth = IPAAuth(hostname, keytab) ipaurl = 'https://%s/ipa' % hostname jsonurl = url % {'hostname': hostname} request.headers.update({'Content-Type': 'application/json', 'Referer': ipaurl}) request.verify = cacert myargs = {'method': 'dnsrecord_add', 'params': [["testdomain.com", "test4.testdomain.com"], {'a_part_ip_address': '172.31.11.4'}], 'id': 0} resp = request.post(jsonurl, data=json.dumps(myargs)) print resp.json() myargs = {'method': 'dnsrecord_find', 'params': [["testdomain.com"], {}], 'id': 0} resp = request.post(jsonurl, data=json.dumps(myargs)) print resp.json() |
Run the script like this:
python script.py ipahost.domain.tld ‘https://%(hostname)s/ipa/json’ myuser.keytab /etc/ipa/ca.crt |