Alexander Bokovoy wrote:
On Wed, 14 Dec 2011, Rob Crittenden wrote:

Dmitri Pal wrote:
On 12/12/2011 07:15 PM, Simo Sorce wrote:
On Mon, 2011-12-12 at 15:22 -0500, Rob Crittenden wrote:
This patch adds support for s4u2proxy. This means that the Apache
server
will obtain the ldap service ticket on behalf of the user rather than
the using having to send their TGT. The user's ticket still needs to
be
forwardable, we just don't require it to be forwarded any more.

Should we make the patch allow the old behavior by using a switch that
revert to forwarding the TGT ?

It would be useful during upgrades if some of your servers still need
forwarded TGTs, or if you want to use a newer client against an old
server while you have the newer stuff under test.
(And to test in general).

Simo.
+1


Updated patch attached.

rob

> From 03a2c9a536811437e4847e1c6b11d2ac0eff98f2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden<rcrit...@redhat.com>
Date: Thu, 8 Dec 2011 14:23:18 -0500
Subject: [PATCH] Don't set delegation flag in client, we're using S4U2Proxy
  now

A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegation, is available if
the old behavior is required.
A minor point: please fix commit message to use proper option name:

--delegate

+        parser.add_option('--delegate', action='store_true',
+            help='Delegate the TGT to the IPA server',
+        )

Otherwise ACK.


Updated both patches. The first (914) to address Alexander's concern. The second to add a new global lock directive. I updated the mod_auth_kerb patch based on feedback from the package maintainer.

rob
>From e49de4c969ad227a694f88970f975a091d6ad65b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 8 Dec 2011 14:23:18 -0500
Subject: [PATCH] Don't set delegation flag in client, we're using S4U2Proxy
 now

A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.

https://fedorahosted.org/freeipa/ticket/1098
---
 ipa.1               |    3 +++
 ipalib/backend.py   |    2 +-
 ipalib/constants.py |    1 +
 ipalib/plugable.py  |    5 ++++-
 ipalib/rpc.py       |   24 +++++++++++++++++-------
 5 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/ipa.1 b/ipa.1
index 4c8ba377effba3324de4d2c9c0e5898f2e9fa2b9..91432a0afa3e2e88d744505234b2b459cbd6b77e 100644
--- a/ipa.1
+++ b/ipa.1
@@ -37,6 +37,9 @@ Load configuration from \fIFILE\fR.
 \fB\-d\fR, \fB\-\-debug\fR
 Produce full debugging output.
 .TP
+\fB\-\-\-delegate\fR
+Delegate the user's TGT to the IPA server
+.TP
 \fB\-e\fR \fIKEY=VAL\fR
 Set environmental variable \fIKEY\fR to the value \fIVAL\fR. This option overrides configuration files.
 .TP
diff --git a/ipalib/backend.py b/ipalib/backend.py
index 79f190832b72f3e41ff0d6b0a4dcf619b35ded37..7ed378e888880e1a0a209116ea8b73f8192a1ef5 100644
--- a/ipalib/backend.py
+++ b/ipalib/backend.py
@@ -110,7 +110,7 @@ class Executioner(Backend):
             self.Backend.ldap2.connect(ccache=ccache)
         else:
             self.Backend.xmlclient.connect(verbose=(self.env.verbose >= 2),
-                fallback=self.env.fallback)
+                fallback=self.env.fallback, delegate=self.env.delegate)
         if client_ip is not None:
             setattr(context, "client_ip", client_ip)
 
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 96cf3ba604d0a53e687a76d01ab0b9b7b3e185fb..c6b3b63ffcb0bee8b21997a32e9e86e76b5576fe 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -133,6 +133,7 @@ DEFAULT_CONFIG = (
     ('prompt_all', False),
     ('interactive', True),
     ('fallback', True),
+    ('delegate', False),
 
     # Enable certain optional plugins:
     ('enable_ra', False),
diff --git a/ipalib/plugable.py b/ipalib/plugable.py
index e0b6e7f968ca16c3fed4667ba1d972edf5262546..4d0011029573df44d8d5e85e0e2b2a3f872c0703 100644
--- a/ipalib/plugable.py
+++ b/ipalib/plugable.py
@@ -530,6 +530,9 @@ class API(DictProxy):
         parser.add_option('-d', '--debug', action='store_true',
             help='Produce full debuging output',
         )
+        parser.add_option('--delegate', action='store_true',
+            help='Delegate the TGT to the IPA server',
+        )
         parser.add_option('-v', '--verbose', action='count',
             help='Produce more verbose output. A second -v displays the XML-RPC request',
         )
@@ -570,7 +573,7 @@ class API(DictProxy):
                     pass
                 overrides[str(key.strip())] = value.strip()
         for key in ('conf', 'debug', 'verbose', 'prompt_all', 'interactive',
-            'fallback'):
+            'fallback', 'delegate'):
             value = getattr(options, key, None)
             if value is not None:
                 overrides[key] = value
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 8ec3a2f2706f6a18216ea8cfc74bc50b21159d31..4670283c99118e9804e13599337c3fe000c17617 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -234,6 +234,7 @@ class KerbTransport(SSLTransport):
     """
     Handles Kerberos Negotiation authentication to an XML-RPC server.
     """
+    flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG
 
     def _handle_exception(self, e, service=None):
         (major, minor) = ipautil.get_gsserror(e)
@@ -259,10 +260,7 @@ class KerbTransport(SSLTransport):
         service = "HTTP@" + host.split(':')[0]
 
         try:
-            (rc, vc) = kerberos.authGSSClientInit(service,
-                                                kerberos.GSS_C_DELEG_FLAG |
-                                                kerberos.GSS_C_MUTUAL_FLAG |
-                                                kerberos.GSS_C_SEQUENCE_FLAG)
+            (rc, vc) = kerberos.authGSSClientInit(service, self.flags)
         except kerberos.GSSError, e:
             self._handle_exception(e)
 
@@ -286,6 +284,14 @@ class KerbTransport(SSLTransport):
         return (host, extra_headers, x509)
 
 
+class DelegatedKerbTransport(KerbTransport):
+    """
+    Handles Kerberos Negotiation authentication and TGT delegation to an
+    XML-RPC server.
+    """
+    flags = kerberos.GSS_C_DELEG_FLAG |  kerberos.GSS_C_MUTUAL_FLAG | \
+            kerberos.GSS_C_SEQUENCE_FLAG
+
 class xmlclient(Connectible):
     """
     Forwarding backend plugin for XML-RPC client.
@@ -305,7 +311,7 @@ class xmlclient(Connectible):
         """
         if not hasattr(self.conn, '_ServerProxy__transport'):
             return None
-        if isinstance(self.conn._ServerProxy__transport, KerbTransport):
+        if type(self.conn._ServerProxy__transport) in (KerbTransport, DelegatedKerbTransport):
             scheme = "https"
         else:
             scheme = "http"
@@ -339,14 +345,18 @@ class xmlclient(Connectible):
 
         return servers
 
-    def create_connection(self, ccache=None, verbose=False, fallback=True):
+    def create_connection(self, ccache=None, verbose=False, fallback=True,
+                          delegate=False):
         servers = self.get_url_list()
         serverproxy = None
         for server in servers:
             kw = dict(allow_none=True, encoding='UTF-8')
             kw['verbose'] = verbose
             if server.startswith('https://'):
-                kw['transport'] = KerbTransport()
+                if delegate:
+                    kw['transport'] = DelegatedKerbTransport()
+                else:
+                    kw['transport'] = KerbTransport()
             else:
                 kw['transport'] = LanguageAwareTransport()
             self.log.info('trying %s' % server)
-- 
1.7.6

>From 9a539e221837d16aaabba88e390fcc4e90229ffa Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 8 Dec 2011 17:21:07 -0500
Subject: [PATCH] Configure s4u2proxy during installation.

This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX

Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.

https://fedorahosted.org/freeipa/ticket/1098
---
 install/conf/ipa.conf                 |    4 +++-
 install/share/bootstrap-template.ldif |   22 ++++++++++++++++++++++
 install/updates/30-s4u2proxy.update   |   18 ++++++++++++++++++
 install/updates/Makefile.am           |    1 +
 ipaserver/install/httpinstance.py     |    3 +++
 5 files changed, 47 insertions(+), 1 deletions(-)
 create mode 100644 install/updates/30-s4u2proxy.update

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 72e3e4c01d48a200f4e25f2adec4dd9a5391ce64..f256dab4d76c3740685890b91aae7822ede56252 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 2 - DO NOT REMOVE THIS LINE
+# VERSION 3 - DO NOT REMOVE THIS LINE
 #
 # LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
@@ -42,6 +42,7 @@ WSGIScriptReloading Off
   SetHandler None
 </Location>
 
+KrbConstrainedDelegationLock ipa
 
 # Protect /ipa with Kerberos
 <Location "/ipa">
@@ -53,6 +54,7 @@ WSGIScriptReloading Off
   KrbAuthRealms $REALM
   Krb5KeyTab /etc/httpd/conf/ipa.keytab
   KrbSaveCredentials on
+  KrbConstrainedDelegation on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
 </Location>
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 4f6bc3c978e51397d5a5683898ff17668d6e925b..4fba730b12519085e3fe3dc4e652c7018024ae63 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -161,6 +161,28 @@ objectClass: nsContainer
 objectClass: top
 cn: posix-ids
 
+dn: cn=s4u2proxy,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: s4u2proxy
+
+dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
+changetype: add
+objectClass: ipaKrb5DelegationACL
+objectClass: groupOfPrincipals
+objectClass: top
+cn: ipa-http-delegation
+memberPrincipal: HTTP/$HOST@$REALM
+ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX
+
+dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
+changetype: add
+objectClass: groupOfPrincipals
+objectClass: top
+cn: ipa-ldap-delegation-targets
+memberPrincipal: ldap/$HOST@$REALM
+
 dn: uid=admin,cn=users,cn=accounts,$SUFFIX
 changetype: add
 objectClass: top
diff --git a/install/updates/30-s4u2proxy.update b/install/updates/30-s4u2proxy.update
new file mode 100644
index 0000000000000000000000000000000000000000..be1d557e7c20934cea11440d8ebfa06d104c50a9
--- /dev/null
+++ b/install/updates/30-s4u2proxy.update
@@ -0,0 +1,18 @@
+dn: cn=s4u2proxy,cn=etc,$SUFFIX
+default: objectClass: nsContainer
+default: objectClass: top
+default: cn: s4u2proxy
+
+dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
+default: objectClass: ipaKrb5DelegationACL
+default: objectClass: groupOfPrincipals
+default: objectClass: top
+default: cn: ipa-http-delegation
+default: memberPrincipal: HTTP/$HOST@$REALM
+default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX'
+
+dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
+default: objectClass: groupOfPrincipals
+default: objectClass: top
+default: cn: ipa-ldap-delegation-targets
+default: memberPrincipal: ldap/$HOST@$REALM
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index cc7117614fdabba230ae4ac75ffe77603dfbd675..20a1ce3a92208a063c6c7f36336356428f98f274 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -18,6 +18,7 @@ app_DATA =				\
 	20-user_private_groups.update	\
 	20-winsync_index.update		\
 	21-replicas_container.update	\
+	30-s4u2proxy.update		\
 	40-delegation.update		\
 	40-dns.update			\
 	40-automember.update		\
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 79b617289f26eb3b1b79bd134a5ee0bcc2bb5157..7fa19c108cfd1c52cc290c32ecba66ab5cf9d1f4 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -136,6 +136,9 @@ class HTTPInstance(service.Service):
         pent = pwd.getpwnam("apache")
         os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)
 
+        # Clean up existing ccache
+        installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid)
+
     def __configure_http(self):
         target_fname = '/etc/httpd/conf.d/ipa.conf'
         http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to