rpc: do kinit if principal and password are present

[spike77453]

This adds a kinit function krb_utils and calls it if a principal and password are supplied.

Motivation: I'd like to interact with the FreeIPA API through ipalib without having to set up a keytab or credentials cache before, e.g.

from ipalib import api

api.bootstrap(
    domain='example.com',
    principal=f'{username}@EXAMPLE.COM',
    password=password,
)
api.finalize()
api.Backend.rpcclient.connect()

result = api.Command...

This is quite useful in containerised, virtual, or generally ephemeral environments that are not IPA enrolled.

This could also be done similar to how python-freeipa achieves this (i.e. use password authentication and save the provided cookie).

Pointers and feedback very welcome.

[tiran]

FreeIPA already has a kinit with password helper kinit_password() in ipalib.install.kinit. That one also supports FAST for 2FA. It shells out to kinit command. AFAIK there is no GSSAPI api for fast ccache.

The ipalib.install subpackage is not available in PyPI packages. We could move the module to ipalib and alias the old module, though.

I'm -1 to add a principal and password argument to bootstrap(). I'd rather recommend that users should use one of several APIs to acquire a ticket.

[spike77453]

The ipalib.install subpackage is not available in PyPI packages. We could move the module to ipalib and alias the old module, though.

Would definitely work for me.

[abbra]

@spike77453
So I think we can close this PR in favor of #7287 and #7286 -- those two create an infrastructure to achieve what you stated as a goal in the description.

[spike77453]

Sure thing. Thanks a bunch for your help!