On Mon, 2011-12-05 at 18:37 -0500, Simo Sorce wrote: > On Fri, 2011-12-02 at 10:10 -0500, Simo Sorce wrote: > > On Fri, 2011-12-02 at 09:27 -0500, Rob Crittenden wrote: > > > Simo Sorce wrote: > > > > Hello all, > > > > > > > > with this set of patches it is possible to allow constrained delegation > > > > of credentials so that a service can impersonate a user when > > > > [..] > > > > > In the third patch in ipadb_get_delegation_acl() you can just fall > > > through to the return. > > > > Removed useless check. > > I also noticed I had added the prototype declaration for the new vtable > > function in the 2nd patch instead of the 3rd where it belongs by > > mistake. > > > > So I fixed that too. > > > > > I think the content of this e-mail should be added as a README to the > > > source tree. > > > > Ok, I dumped and adapted the email content into a README file and added > > it to the third patch. > > > > I also fixed the patch names as per policy. > > > > Simo. > > > We have discovered a few issues w/ MIT 1.9 and s4u2proxy used outside of > the 'artificial' test done by kvno. > > I pushed a patch to handle part of the problem as a new krb5 package in > ipa-devel. > > Soon we will have a patch for mod_auth_kerb that handles an issue there. > > But we still have an unresolved issue when using the adtrust > functionality and our KDC releases PACs. > > The attached patch can be used to deal with that case. As you can see > this is not intended for production, but can be used until we have a > better fix on the KDC side. > > Simo.
Rebased patch 468 to apply to current master. Simo. -- Simo Sorce * Red Hat, Inc * New York
>From 1ecdb11ba9a11707278e03fb54cff5693bd626ce Mon Sep 17 00:00:00 2001 From: Simo Sorce <sso...@redhat.com> Date: Sun, 20 Nov 2011 17:04:05 -0500 Subject: [PATCH] ipa-kdb: Delegation ACL schema --- install/share/60basev3.ldif | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 0e4303b1e2b247f751fad3aaeb2b418d3ffa16eb..104cffb2b70d97d4b83b9215234171801cf59b64 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -23,8 +23,13 @@ attributeTypes: ( 2.16.840.1.113730.3.8.11.16 NAME 'ipaNTTrustAuthIncoming' DESC attributeTypes: ( 2.16.840.1.113730.3.8.11.17 NAME 'ipaNTTrustForestTrustInfo' DESC 'Forest trust information for a trusted domain object' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) attributeTypes: ( 2.16.840.1.113730.3.8.11.18 NAME 'ipaNTTrustPosixOffset' DESC 'POSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 2.16.840.1.113730.3.8.11.19 NAME 'ipaNTSupportedEncryptionTypes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +attributeTypes: ( 2.16.840.1.113730.3.8.11.20 NAME 'memberPrincipal' DESC 'Principal names member of a groupOfPrincipals group' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA-v3') +attributeTypes: ( 2.16.840.1.113730.3.8.11.21 NAME 'ipaAllowToImpersonate' DESC 'Principals that can be impersonated' SUP distinguishedName X-ORIGIN 'IPA-v3') +attributeTypes: ( 2.16.840.1.113730.3.8.11.22 NAME 'ipaAllowedTarget' DESC 'Target principals alowed to get a ticket for' SUP distinguishedName X-ORIGIN 'IPA-v3') objectClasses: (2.16.840.1.113730.3.8.12.1 NAME 'ipaExternalGroup' SUP top STRUCTURAL MUST ( cn ) MAY ( ipaExternalMember $ memberOf $ description $ owner) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.2 NAME 'ipaNTUserAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) MAY ( ipaNTHash $ ipaNTLogonScript $ ipaNTProfilePath $ ipaNTHomeDirectory $ ipaNTHomeDirectoryDrive ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.3 NAME 'ipaNTGroupAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.4 NAME 'ipaNTDomainAttrs' SUP top AUXILIARY MUST ( ipaNTSecurityIdentifier $ ipaNTFlatName $ ipaNTDomainGUID ) MAY ( ipaNTFallbackPrimaryGroup ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.5 NAME 'ipaNTTrustedDomain' SUP top STRUCTURAL DESC 'Trusted Domain Object' MUST ( cn ) MAY ( ipaNTTrustType $ ipaNTTrustAttributes $ ipaNTTrustDirection $ ipaNTTrustPartner $ ipaNTFlatName $ ipaNTTrustAuthOutgoing $ ipaNTTrustAuthIncoming $ ipaNTSecurityIdentifier $ ipaNTTrustForestTrustInfo $ ipaNTTrustPosixOffset $ ipaNTSupportedEncryptionTypes) ) +objectClasses: (2.16.840.1.113730.3.8.12.6 NAME 'groupOfPrincipals' SUP top AUXILIARY MUST ( cn ) MAY ( memberPrincipal ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.7 NAME 'ipaKrb5DelegationACL' SUP groupOfPrincipals STRUCTURAL MAY ( ipaAllowToImpersonate $ ipaAllowedTarget ) X-ORIGIN 'IPA v3' ) -- 1.7.7.1
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel