On Thu, 2011-08-11 at 13:07 +0300, Alexander Bokovoy wrote:
> On 11.08.2011 12:19, Martin Kosek wrote:
> > This is a first shot for client enrollment fix. I had to pull the new
> > version of xmlrpc-c from koji as it is not in updates-testing repo yet:
> > 
> > http://koji.fedoraproject.org/koji/buildinfo?buildID=257947
> > 
> > Fixed curl package is already in stable repos.
> > 
> > Unfortunately, it seems that credentials are not delegated yet. I still
> > get "did not receive Kerberos credentials" error from the server. Any
> > idea what went wrong? Adding xmlrpc-c maintainer on CC.
> 
> Looking at ipa-join.c patch, I noticed one thing:
> > diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
> > index 
> > 95f2939cd9812d70aab6d29fb526ac9eb7b5479d..23af923e9d3ae1c466ffa19ea5f2aaac89ebec37
> >  100644
> > --- a/ipa-client/ipa-join.c
> > +++ b/ipa-client/ipa-join.c
> > @@ -149,6 +149,8 @@ callRPC(xmlrpc_env *            const envP,
> >      curlXportParmsP->no_ssl_verifypeer = 1;
> >      curlXportParmsP->no_ssl_verifyhost = 1;
> >      curlXportParmsP->cainfo = "/etc/ipa/ca.crt";
> > +    /* Enable GSSAPI credentials delegation */
> > +    curlXportParmsP->gssapi_delegation = 1;
> >  
> >      clientparms.transport = "curl";
> >      clientparms.transportparmsP = (struct xmlrpc_xportparms *)
> 
> I think you also need to bump XMLRPC_CXPSIZE() to gssapi_delegation:
> 
> diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
> index 95f2939..f6ca693 100644
> --- a/ipa-client/ipa-join.c
> +++ b/ipa-client/ipa-join.c
> @@ -149,11 +149,13 @@ callRPC(xmlrpc_env *            const envP,
>      curlXportParmsP->no_ssl_verifypeer = 1;
>      curlXportParmsP->no_ssl_verifyhost = 1;
>      curlXportParmsP->cainfo = "/etc/ipa/ca.crt";
> +    /* Enable GSSAPI credentials delegation */
> +    curlXportParmsP->gssapi_delegation = 1;
> 
>      clientparms.transport = "curl";
>      clientparms.transportparmsP = (struct xmlrpc_xportparms *)
>              curlXportParmsP;
> -    clientparms.transportparm_size = XMLRPC_CXPSIZE(cainfo);
> +    clientparms.transportparm_size = XMLRPC_CXPSIZE(gssapi_delegation);
>      xmlrpc_client_create(envP, XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION,
>                           &clientparms, sizeof(clientparms),
>                           &clientP);
> 

Thanks, that was the problem. I wonder how I missed it. Attaching the
updated patch, client enrollment on F-15 works.

Martin
>From 91f5fb07aacc4ae009b8f1e098959b31cea7ad61 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Thu, 11 Aug 2011 10:42:29 +0200
Subject: [PATCH] Fix client enrollment

Enable GSSAPI credentials delegation in xmlrpc-c/curl to fix client
enrollment. The unconditional GSSAPI was previously dropped from
curl because of CVE-2011-2192.

https://fedorahosted.org/freeipa/ticket/1452
---
 freeipa.spec.in       |   29 +++++++++++++++++++++++++++--
 ipa-client/ipa-join.c |    4 +++-
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5dda8116aa86ce326a146ba55a4a44daac8474b8..cbc0f50ec5c9d5326e3b2c25dc194fc620afd491 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -36,8 +36,18 @@ BuildRequires:  openldap-devel
 BuildRequires:  krb5-devel
 BuildRequires:  krb5-workstation
 BuildRequires:  libuuid-devel
-BuildRequires:  xmlrpc-c-devel
+%if 0%{?fedora} >= 16
+BuildRequires:  libcurl-devel >= 7.21.7-2
+BuildRequires:  xmlrpc-c-devel >= 1.27.4
+%else
+%if 0%{?fedora} == 15
+BuildRequires:  libcurl-devel >= 7.21.3-9
+BuildRequires:  xmlrpc-c-devel >= 1.25.4
+%else
 BuildRequires:  libcurl-devel
+BuildRequires:  xmlrpc-c-devel
+%endif
+%endif
 BuildRequires:  popt-devel
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -150,7 +160,18 @@ Requires: krb5-workstation
 Requires: authconfig
 Requires: pam_krb5
 Requires: wget
-Requires: xmlrpc-c
+%if 0%{?fedora} >= 16
+Requires:  libcurl >= 7.21.7-2
+Requires:  xmlrpc-c >= 1.27.4
+%else
+%if 0%{?fedora} == 15
+Requires:  libcurl >= 7.21.3-9
+Requires:  xmlrpc-c >= 1.25.4
+%else
+Requires:  libcurl
+Requires:  xmlrpc-c
+%endif
+%endif
 Requires: sssd >= 1.5.1
 Requires: certmonger >= 0.26
 Requires: nss-tools
@@ -514,6 +535,10 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Thu Aug 11 2011 Martin Kosek <mko...@redhat.com> - 2.0.90-11
+- Set min nvr of xmlrpc-c and libcurl to make sure GSSAPI delegation
+  support is in
+
 * Tue Aug 2 2011 Endi S. Dewata <edew...@redhat.com> - 2.0.90-10
 - Add *.ico files
 
diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
index 95f2939cd9812d70aab6d29fb526ac9eb7b5479d..f6ca693675e99ac71881755ef69048021f2c03b0 100644
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -149,11 +149,13 @@ callRPC(xmlrpc_env *            const envP,
     curlXportParmsP->no_ssl_verifypeer = 1;
     curlXportParmsP->no_ssl_verifyhost = 1;
     curlXportParmsP->cainfo = "/etc/ipa/ca.crt";
+    /* Enable GSSAPI credentials delegation */
+    curlXportParmsP->gssapi_delegation = 1;
 
     clientparms.transport = "curl";
     clientparms.transportparmsP = (struct xmlrpc_xportparms *)
             curlXportParmsP;
-    clientparms.transportparm_size = XMLRPC_CXPSIZE(cainfo);
+    clientparms.transportparm_size = XMLRPC_CXPSIZE(gssapi_delegation);
     xmlrpc_client_create(envP, XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION,
                          &clientparms, sizeof(clientparms),
                          &clientP);
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to