I am using netsight.windowsauthplugin version 2.3.1 in my Plone CMS installation on a linux server. The domain/realm is a windows domain.
My sysadmin gave me a .keytab file and set up the DNS A and PTR record, I have configured /etc/krb5.conf (the same way I have it for a spring java webapp on an another server), configured zope, but when I try to log in with Intrernet Explorer from my pc, I get an error:
GSSError: (('Unspecified GSS failure. Minor code may provide more
information', 851968), ('No key table entry found matching HTTP/#',
39756033))
What am I missing? My plone python interpreter cannot resolv a proper name? It cannot read the keytab or krb5.conf file?
There's a lot that can/could go wrong (or has to go right) before SSO works. To focus directly on your error report it seems that the PAS plugin in Plone cannot correctly get the GSSAPI service name.
In the latest master version on github (https://github.com/netsight/netsight.windowsauthplugin) there is a 'GSSAPI service' property you can add to the SPNEGO object stored in acl_users. Use this version and set the GSSAPI Service property to 'HTTP#www.mydomain.com'.
Note the '#' here, I think this is also wrong in the default value netsight.windowsauthplugin calculates where it adds a '/' as separator (suggesting it's an SPN, but it is the GSSAPI servide hint to the kerberos library.
If you run into other problems after this, please first try to enable kerberos library tracing by adding a KRB5_TRACE=/location/to/krbtrace-mysite.log environment variable before you start your Plone site (assuming you can run it from the terminal on some unixy environment). This KRB5_TRACE only works with newer kerberos releases but will provide you a lot more insight as to what is going wrong when you have to debug any further.
Related
I am looking for a way to clone locally, a remote private git repository via python. Git i.e. not specific to a version control provider. Ideally I am looking to establish a connection with the remote repo(provider) using the credentials and then clone(emulate what would happen through bash) or just download the repo. This needs to happen via the python-script though. The credentials would be provided to the script as encoded arguments on console execution.
Everything I have tried so far seems to have a quirk that does not solve the issue entirely.
This post seems to solve the issue of cloning a public repo(GitPython): https://stackoverflow.com/a/2472616/6599916
Searching through stack and the GitPython documentation I haven't found a way to set authentication credentials through the GitPython library though. If anyone has implemented this it would be greatly appreciated.
Furthermore, in the past, I have implemented a version of this with a user prompt, but only for GitHub by employing requests to authenticate and then download the zip file of the remote repo. I can still use this, just for github.
remoteReply = requests.get(remURL, timeout=20, auth=credentials)
Also, I tried this: https://github.community/t5/How-to-use-Git-and-GitHub/Clone-private-repo/td-p/12616
which is still just for github. I would have tried a gitlab implemention but this yields errors when user password contains special characters like #. Is there a way to resolve this?
Finally, an implementation via the APIs of version control providers would be feasible if there existed a way to authenticate via username and password. All info regarding my issue circles around using sha or tokens which are not a solution in my case.
Basically i'm looking for an alternative of https://github.com/einfallstoll/express-ntlm for Python/Tornado
I could just add node.js as another layer in the application but I'd rather not
A way to get the windows user of the client acessing a url
This will be used in a web app only available on a corporate network
When deploying on IIS with IIS handling Windows authentication, you can retrieve the remote user from the environment variables. This assumes you have Windows authentication enabled and configured.
Then you can simply get the variables out of the environment. As noted in the Microsoft documentation applicable environment variables include REMOTE_USER, AUTH_USER, LOGON_USER, and UNMAPPED_REMOTE_USER. Check the docs for specific usages.
In Python, these can be retrieved with os.environ
Tested this using IIS 7.5 running a simple script and was able to get the username with Python simply by os.environ.get("REMOTE_USER")
If you're using a proxy, the environment variable may be different, such as 'HTTP_X_PROXY_REMOTE_USER'. The server may also need to be configured to pass those environment variables along if that's the case.
express-ntlm is based on an Apache Python project that does the very same: https://github.com/Legrandin/PyAuthenNTLM2/
I have created an app in python on mac osx 10.9. Then converted it into a .pkg file.
But while installing, I am facing gatekeeper issue of myapp.pkg can't be opened because it is from unidentified developer.
So, what are the steps to code sign it to avoid installation issue.
MYAPP.pkg and when double clicked, this pkg file will install MYAPP folder in /Applications location.
This MYAPP folder in /Applications location contains a) myappmain.app b) logout.app
myappmain.app performs main function while logout.app is for logging off of user.
myappmain.app needs support of two more apps for functioning named monitor.app and dialogbox.app.
Both monitor.app and dialogbox.app, I placed it in /Applications/MYAPP/myappmain.app/Contents/Resources location i.e. within main myappmain.app
All apps are written in python language.
Not knowing the exact setup of your system and your app's structure, I can only offer general advice.
From what I gather, the basic procedure includes:
1) Set up a code signing identity (private key and digital certificate) either through the Apple Developer Portal or using Certificate Assistant under your Mac's Keychain Access. You can also use Keychain Access to import an existing certificate. You can also export certificates from Xcode.
2) Add an Info.plist file to your application bundle if it is a single-file tool.
3) Actually sign the code using the codesign command line tool from a terminal. You can then test the signatures you created with the spctl command line tool. I think you can also set up signing within the Xcode options.
I got this information from the following link. There are a lot more details here, and you may have to do extra steps depending on your system, but I hope this helps.
Apple Developer Code Signing Guide
I am trying to use Bulkloader of google app engine but unfortunately could not understand what to do from documentation. It says add this part to app.yaml
builtins:
- remote_api: on
ok i have added. Then says that i have to execute this command
appcfg.py update
but i don't have any appcfg.py file. And also what is the command which executes this line?
Please somebody tell me what i am missing I use AppEngineLauncher to upload my project to server.. I have naver used a command to update or upload it.
Thanks in advance..
If you're using App Engine Launcher, simply click the Deploy button; it runs appcfg.py update. appcfg is installed as part of the SDK.
In order to call it globally you must set the python path to include google appengine library, or call it from its excact location
~/google_appengine/appcfg.py update ~/project/path_to_your_yaml_file/
where ~ stands for you home folder.
For those using the the Java GAE SDK, it comes wtih appcfg.sh, but doesn't support full features of apppcfg.py. You need to also install the Python GAELauncher. On Mac, it installs appcfg.py in /usr/local/bin.
Working only with my local datastore, I did not have an app.yaml, nor did I need to update it as per the uploading data GAE documentation. Just needed to update the web.xml with the RemoteApiServlet.
Main gotcha is the Authentication error while connecting to the local data store. It may be specific to Mac and the Charles proxy work around mentioned in that thread likewise worked for me. I did have to modify the default proxy port from 8888 to avoid conflict with my app. The workaround is tedious and the trial version of Charles comes with limitations such as shutdown after 30 minutes.
To use the main database for development, first download it from app engine:
bulkloader.py --dump --url http://<app name>.appspot.com/_ah/remote_api --filename dump.bin
It will ask for an email and password (use your google login details).
To upload it to the development environment, make sure remote_api is
enabled in app.yaml
https://developers.google.com/appengine/docs/python/tools/uploadingdata#Setting_Up_remote_api
Then run:
bulkloader.py --restore --url http://localhost:8080/_ah/remote_api --filename dump.bin --application dev~<app name>
This time for the email, just leave it blank and hit enter.
I'm using PyWin32 to make WMI calls to the system in python from my django web application. My goal is to allow users to add printers to the system via a web interface. To do this, I'm using win32print.AddPrinterConnection.
This works well running the development server under my user account. I can add all the printers I want. However, eventually, this will need to run under apache which runs as the LocalSystem account.
This is problematic for two reasons:
The LocalSystem account has no network privileges at all, and this is a network printer. The AddPrinterConnection WMI call eventually makes a COM call that will be disallowed.
The LocalSystem account has no access to the domain these printers are on. They require a domain account to access.
Therefore, I've come to the conclusion that I need to impersonate domain user(s) to accomplish this task. I've done so using the code found here:
http://code.activestate.com/recipes/81402/
This seems to work as I'm able to verify that I've successfully impersonated the calling code. Unfortunately, after impersonation I always get this error from the win32print.AddPrinterConnection API call:
Exception Type: error
Exception Value: (2, 'AddPrinterConnection', 'The system cannot find the file specified.')
Do you have any idea why this may be?
Thanks a bunch! Pete
Update
Playing around, I noticed the the AddPrinterConnection API call completes successfully if the user that I'm impersonating is currently logged into the system. Once I log that user out and retry the command while impersonating that user, I get the error stated above.
What is going on here?
I can't help with the specific problem, but I do know that if I had to work with WMI stuff on Windows, with Python, I would definitely reach for Tim Golden's Python WMI module instead of pywin32. Perhaps in the documentation/cookbook or Google searches using that module you can find a solution.