Archive for the ‘ Uncategorized ’ Category

python-kerberos + urllib2

(Wow, old post sitting in my draft box for eons.┬á Might be useful to someone …)

At work, I’ve been working on getting the planet RSS aggregator to work w/ mod_auth_kerb + wordpress-mu. Thankfully, I found this quite useful post:
http://selenic.com/pipermail/mercurial/2008-June/019776.html

With this very useful snippet of code:
http://selenic.com/pipermail/mercurial/attachments/20080624/ec728dbb/attachment.py

#!/usr/bin/python

# urllib2 with kerberos proof of concept
# Copyright 2008 Lime Spot LLC

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.

# A copy of the GNU General Public License can be found at
# .

import re
import logging
import sys
import urllib2 as u2

import kerberos as k

def getLogger():
log = logging.getLogger(“http_negotiate_auth_handler”)
handler = logging.StreamHandler()
formatter = logging.Formatter(‘%(asctime)s %(levelname)s %(message)s’)
handler.setFormatter(formatter)
log.addHandler(handler)
return log

log = getLogger()

class HTTPNegotiateAuthHandler(u2.BaseHandler):
“””auth handler for urllib2 that does HTTP Negotiate Authentication
“””

rx = re.compile(‘(?:.*,)*\s*Negotiate\s*([^,]*),?’, re.I)
handler_order = 480 # before Digest auth

def negotiate_value(self, headers):
authreq = headers.get(‘www-authenticate’, None)

if authreq:
mo = HTTPNegotiateAuthHandler.rx.search(authreq)
if mo:
return mo.group(1)
else:
log.debug(“regex failed on: %s” % authreq)

else:
log.debug(“www-authenticate header not found”)

return None

def __init__(self):
self.retried = 0
self.context = None

def generate_request_header(self, req, headers):
neg_value = self.negotiate_value(headers)
if neg_value is None:
self.retried = 0
return None

if self.retried >= 5:
raise HTTPError(req.get_full_url(), 401, “negotiate auth failed”,
headers, None)

self.retried += 1

log.debug(“req.get_host() returned %s” % req.get_host())
result, self.context = k.authGSSClientInit(“HTTP@%s” % req.get_host())

if result < 1:
log.warning(“authGSSClientInit returned result %d” % result)
return None

log.debug(“authGSSClientInit() succeeded”)

result = k.authGSSClientStep(self.context, neg_value)

if result < 0:
log.warning(“authGSSClientStep returned result %d” % result)
return None

log.debug(“authGSSClientStep() succeeded”)

response = k.authGSSClientResponse(self.context)
log.debug(“authGSSClientResponse() succeeded”)

return “Negotiate %s” % response

def authenticate_server(self, headers):
neg_value = self.negotiate_value(headers)
if neg_value is None:
log.critical(“mutual auth failed. No negotiate header”)
return None

if k.authGSSClientStep(self.context, neg_value) < 1:
log.critical(“mutual auth failed: authGSSClientStep returned result %d” % result)

def clean_context(self):
if self.context is not None:
k.authGSSClientClean(self.context)

def http_error_401(self, req, fp, code, msg, headers):
log.debug(“inside http_error_401”)
try:
neg_hdr = self.generate_request_header(req, headers)

if neg_hdr is None:
log.debug(“neg_hdr was None”)
return None

req.add_unredirected_header(‘Authorization’, neg_hdr)
resp = self.parent.open(req)

self.authenticate_server(resp.info())

return resp

finally:
self.clean_context()

def test():
log.setLevel(logging.DEBUG)
log.info(“starting test”)
opener = u2.build_opener()
opener.add_handler(HTTPNegotiateAuthHandler())
resp = opener.open(sys.argv[1])
print dir(resp), resp.info(), resp.code

if __name__ == ‘__main__’:
test()

Packages to come, and hopefully I’ll get the patch pushed upstream soon.

Moving iPhoto onto a portable hard drive…

Found this gem:
http://support.apple.com/kb/HT1229

Moving ~110gb off of Janel’s laptop and onto more easily expandable storage.

Security fix: wordpress-2.6.5-2 packages for Fedora 10

wordpress-2.6.5-2 just got rolled into dist-f10-updates by bodhi; should be available via mirrors soon. This should address CVE-2009-1030 for those folks not behind a modern httpd webserver.

Mead?

Saw this from Stumbleupon: http://scottdavisanderson.com/blog/sustainable-vision/mead-making-101/

Given that my buddy, taw, is a local bee-keeper, I wonder if I should give this a go?

Debugging Firefox + GSSAPI

So, I’ve been working on internal collaboration apps, and a big thing is seamless authentication. Unfortunately, I’m no kerberos/gssapi guru, and have been fighting w/ my development KDC instance quite a bit.

I kept wondering why I couldn’t get some sort of console log from Firefox, since the commandline kinit lines were working fine but mod_auth_kerb was very unhappy… turns out, you can ­čÖé

1) Close all instances of Firefox.
2) Open a command shell, and enter the following commands:

[bretm@koom Desktop]$ export NSPR_LOG_MODULES=negotiateauth:5
[bretm@koom Desktop]$ export NSPR_LOG_FILE=/tmp/moz.log

3) restart firefox and tail /tmp/moz.log

(from RHEL 5’s Deployment Guide)

Problems with git bare repos and hooks?

Had an interesting issue crop up yesterday… supposedly, the reason a post-receive hook wasn’t firing was because the repo was set to “bare=true”.┬á I’ve googled for “bare repo” plus “hook”, and can’t find anything that would suggest hooks function any differently on bare repos vs normal ones.

Can anyone out there point me in the right direction?

Time Machine & NFS or Samba backup

Janel has been very pleased with her Mac so far; mostly she’s been working mostly with iPhoto and iMovie. I have to say: I’m damn impressed with the machine.

I’ve been doing a bit of research on the integrated backup program, Time Machine, that’s included in Mac OS X 10.5. At first, I was disappointed to hear it required the HFS filesystem, but I did a bit more digging, and found these two links:

http://freakymousemats.com/blog/posts/2007/11/01/time-machine-over-smb/

http://forums.bit-tech.net/showthread.php?t=141960

These suggest that folks have had success using both SMB as well as NFS to serve as the persistent storage. I haven’t tested it out, but plan to use it with the 300gb HP Media Vault that serves as our on-site backup. Wish me luck.

Oh, and the critical command appears to be:

defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1

UPDATE (14-July-2008): so, this didn’t work out too well.┬á The machine complained that it wasn’t able to create the image.┬á I’ve heard that other folks have the same issue, and will be trying to find and document the solution.┬á Then I’ll start testing restoring files =)

UPDATE (22-July-2008): ┬áSome initial success… Wes’s information got me past the sparsebundle failure, thought I had to dig through the link comments to find the right parameters for Janel’s Intel-based Mac. ┬áHere’s what I used:

hdiutil create -size $SIZEg -fs HFS+J -type SPARSEBUNDLE -volname “Backup of $MACHINENAME” $MACHINENAME_$MACADDRESS.sparsebundle

You then recursively copy that sparse bundle to the network share, and it should become something you can select during Time Machine setup. ┬áTime Machine is going to try backing up her Mac in an hour, I’ll post if it succeeds.

One thing I am concerned about is keeping the network connection available to the Mac… I haven’t found the equivalent of “reconnect,” etc.