simplification: remove setting KERBEROS_KEYTAB

The keytab file must be passed using the usual KRB5_KTNAME environment
variable to the Django process, no need to use a custom setting for
that. For memory syntax is KRB5_KTNAME=FILE:/path/to/keytab

README

@@ -26,13 +26,6 @@ Hostname for retrieving the service key, the correspondig principal will be
 `HTTP/{KERBEROS_HOSTNAME}@DEFAULT_REAML`, default is `None`. If `None` the hostname
 from the request will be used.
 
-`KERBEROS_KEYTAB`
------------------
-
-File path of the keytab containing the key for the service principal, default
-is `None`. If `None` the default host keytab will be tried, which should fails
-since it's usually only readable by root.
-
 `KERBEROS_BACKEND_CREATE`
 -------------------------
 

src/django_kerberos/app_settings.py

@@ -8,7 +8,6 @@ class AppSettings(object):
             'DEFAULT_REALM': None,
             'SERVICE_PRINCIPAL': '',
             'HOSTNAME': None,
-            'KEYTAB': None,
             'KEEP_PASSWORD': False,
     }
 

src/django_kerberos/views.py

@@ -1,5 +1,4 @@
 import kerberos
-import os
 
 from django import http
 from django.template.response import TemplateResponse
@@ -16,37 +15,27 @@ def www_authenticate(request):
 def login(request):
     '''Try to authenticate the user using SPNEGO and Kerberos'''
     next_url = request.REQUEST.get('next') or settings.LOGIN_REDIRECT_URL
-    if app_settings.KEYTAB:
-        old = os.environ.get('KRB5_KTNAME')
-        os.environ['KRB5_KTNAME'] = app_settings.KEYTAB
-    try:
-        host = app_settings.HOSTNAME or request.get_host().split(':')[0]
-        service = 'HTTP@%s' % host
+    host = app_settings.HOSTNAME or request.get_host().split(':')[0]
+    service = 'HTTP@%s' % host
 
-        if 'HTTP_AUTHORIZATION' in request.META:
-            kind, authstr = request.META['HTTP_AUTHORIZATION'].split(' ', 1)
-            print authstr
-            if kind == 'Negotiate':
-                result, context = kerberos.authGSSServerInit(service)
-                if result != 1:
-                    return TemplateResponse(request, 'django_kerberos/error.html')
-                r = kerberos.authGSSServerStep(context, authstr)
-                if r == 1:
-                    gssstring = kerberos.authGSSServerResponse(context)
-                else:
-                    return www_authenticate(request)
-                principal = kerberos.authGSSServerUserName(context)
-                kerberos.authGSSServerClean(context)
-                user = authenticate(principal=principal)
-                if user:
-                    auth_login(request, user)
-                    response = http.HttpResponseRedirect(next_url)
-                    response['WWW-Authenticate'] = 'Negotiate %s' % gssstring
-                    return response
-        return www_authenticate(request)
-    finally:
-        if app_settings.KEYTAB:
-            if old:
-                os.environ['KRB5_KTNAME'] = old
+    if 'HTTP_AUTHORIZATION' in request.META:
+        kind, authstr = request.META['HTTP_AUTHORIZATION'].split(' ', 1)
+        print authstr
+        if kind == 'Negotiate':
+            result, context = kerberos.authGSSServerInit(service)
+            if result != 1:
+                return TemplateResponse(request, 'django_kerberos/error.html')
+            r = kerberos.authGSSServerStep(context, authstr)
+            if r == 1:
+                gssstring = kerberos.authGSSServerResponse(context)
             else:
-                del os.environ['KRB5_KTNAME']
+                return www_authenticate(request)
+            principal = kerberos.authGSSServerUserName(context)
+            kerberos.authGSSServerClean(context)
+            user = authenticate(principal=principal)
+            if user:
+                auth_login(request, user)
+                response = http.HttpResponseRedirect(next_url)
+                response['WWW-Authenticate'] = 'Negotiate %s' % gssstring
+                return response
+    return www_authenticate(request)