Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#77793 - [python-pywinrm] Kerberos authentication to winrm fails

Attached to Project: Community Packages
Opened by Jon Gerdes (gerdesj) - Thursday, 09 March 2023, 17:32 GMT
Last edited by Sven-Hendrik Haase (Svenstaro) - Monday, 13 March 2023, 05:10 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sven-Hendrik Haase (Svenstaro)
Felix Yan (felixonmars)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

I use Ansible a fair bit in a Windows world. Ansible pulls in python-pywinrm which pulls in python-requests-kerberos. This last package lacks "authGSSWinRMEncryptMessage" which is needed to access a WinRM service using Kerberos.

That function is provided by pykerberos. However the pykerberos in the Arch community repo is actually kerberos ie the Apple supported one which has a github repo called ccs-pykerberos! So to recap: PyPi has two packages, one called kerberos and one called pykerberos. Arch's pykerberos is actually kerberos. The repo for kerberos - https://github.com/02strich/pykerberos does state that it is on life support.

This bug: https://github.com/apple/ccs-pykerberos/issues/84 implies to me that Apple are not too bothered about Ansible 8)

I have found that if I pip install pykerberos I get Ansible working again with WinRM and I also run nagstamon which needs python-requests-kerberos also seems to work fine, authenticating with Kerb tickets.
This task depends upon

Closed by  Sven-Hendrik Haase (Svenstaro)
Monday, 13 March 2023, 05:10 GMT
Reason for closing:  Fixed
Comment by Toolybird (Toolybird) - Thursday, 09 March 2023, 20:35 GMT
Sorry, I'm confused. How do you propose for Arch to fix the bug?

Note that Arch's "python-pykerberos" is currently orphaned i.e. there is no maintainer. So if it's packaged incorrectly we might be SOL.
Comment by Jon Gerdes (gerdesj) - Friday, 10 March 2023, 01:31 GMT
Sorry, I posted that lot after a rather long debugging session into territories I don't normally frequent! There are multiple issues here and I ended up picking on pywinrm because that is what is failing for me.

I think the right Arch thing to do is drop the current python-pykerberos package completely - it is incorrectly named and unmaintained and I think it hinders rather than helps. That might spur interested parties to sort out the various Kerberos issues in Python.

I or someone else could whip up python-pykerberos and python-kerberos that actually represent what PyPi intends. Then we add python-pykerberos as a dependency for python-pywinrm Then there is the issue of fixing up dependencies for whatever wants the "old" python-pykerberos.
Comment by Toolybird (Toolybird) - Friday, 10 March 2023, 04:34 GMT
Ok, but it still sounds like a mess :/

The only thing depending on "python-pykerberos" is "python-pure-sasl" (for the testsuite) and interestingly this pkg also depends on a virtual "python-kerberos" which doesn't currently exist?

Assigning to relevant PM's who can hopefully pull the right strings.
Comment by Sven-Hendrik Haase (Svenstaro) - Sunday, 12 March 2023, 07:46 GMT
Well this is some bullshit. Anyway, I'm changing the upstream for this and epoching it. Please test whether this works for you.
Comment by Jon Gerdes (gerdesj) - Monday, 13 March 2023, 01:28 GMT
Works for me:

$ python -c "import kerberos; print(hasattr(kerberos, 'authGSSWinRMEncryptMessage'))"
True

Now the mess here in Arch is just the same as everywhere else but at least it works! Any other snags can be handled upstream and either passed down or not.

Thank you Toolybird and Svenstaro for sorting this out so quickly.

Loading...