On Wed, 2012-01-04 at 15:11 -0500, Rob Crittenden wrote: > Alexander Bokovoy wrote: > > On Wed, 14 Dec 2011, Rob Crittenden wrote: > > > >> Dmitri Pal wrote: > >>> On 12/12/2011 07:15 PM, Simo Sorce wrote: > >>>> On Mon, 2011-12-12 at 15:22 -0500, Rob Crittenden wrote: > >>>>> This patch adds support for s4u2proxy. This means that the Apache > >>>>> server > >>>>> will obtain the ldap service ticket on behalf of the user rather than > >>>>> the using having to send their TGT. The user's ticket still needs to > >>>>> be > >>>>> forwardable, we just don't require it to be forwarded any more. > >>>> > >>>> Should we make the patch allow the old behavior by using a switch that > >>>> revert to forwarding the TGT ? > >>>> > >>>> It would be useful during upgrades if some of your servers still need > >>>> forwarded TGTs, or if you want to use a newer client against an old > >>>> server while you have the newer stuff under test. > >>>> (And to test in general). > >>>> > >>>> Simo. > >>> +1 > >>> > >> > >> Updated patch attached. > >> > >> rob > > > >> > From 03a2c9a536811437e4847e1c6b11d2ac0eff98f2 Mon Sep 17 00:00:00 2001 > >> From: Rob Crittenden<rcrit...@redhat.com> > >> Date: Thu, 8 Dec 2011 14:23:18 -0500 > >> Subject: [PATCH] Don't set delegation flag in client, we're using S4U2Proxy > >> now > >> > >> A forwardable ticket is still required but we no longer need to send > >> the TGT to the IPA server. A new flag, --delegation, is available if > >> the old behavior is required. > > A minor point: please fix commit message to use proper option name: > > > > --delegate > > > >> + parser.add_option('--delegate', action='store_true', > >> + help='Delegate the TGT to the IPA server', > >> + ) > > > > Otherwise ACK. > > > > Updated both patches. The first (914) to address Alexander's concern. > The second to add a new global lock directive. I updated the > mod_auth_kerb patch based on feedback from the package maintainer. > > rob
ACK for patch 914-4. Pushed to master, ipa-2-2. In reality, it was really sent in the thread for patch 947. I just renamed it and created a rebased version for master branch. Both patches are attached. Martin
>From d78756d9bcaf1d75cc592fc621e25c4d1df980a3 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Thu, 8 Dec 2011 14:23:18 -0500 Subject: [PATCH] Don't set delegation flag in client, we're using S4U2Proxy now A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246 --- freeipa.spec.in | 15 +++++++-------- install/share/bootstrap-template.ldif | 2 +- ipa.1 | 3 +++ ipalib/backend.py | 2 +- ipalib/constants.py | 1 + ipalib/plugable.py | 5 ++++- ipalib/rpc.py | 24 +++++++++++++++++------- 7 files changed, 34 insertions(+), 18 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 6c92747..06e7d9e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -92,17 +92,13 @@ Requires(pre): 389-ds-base >= 1.2.10-0.5.a5 Requires: openldap-clients Requires: nss Requires: nss-tools -%if 0%{?fedora} >= 16 -Requires: krb5-server >= 1.9.1-15 -%else -Requires: krb5-server -%endif +Requires: krb5-server >= 1.9.2-6 Requires: krb5-pkinit-openssl Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd Requires: mod_wsgi -Requires: mod_auth_kerb >= 5.4-9 +Requires: mod_auth_kerb >= 5.4-8 Requires: mod_nss >= 1.0.8-10 Requires: python-ldap Requires: python-krbV @@ -665,11 +661,14 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog -* Wed Jan 11 2012 Simo Sorce <s...@redhat.com? - 2.2.0-7 +* Tue Jan 31 2012 Rob Crittenden <rcrit...@redhat.com> - 2.2.0-8 +- Set min for krb5-server to 1.9.2-6 to pick up needed s4u2proxy patches + +* Wed Jan 11 2012 Simo Sorce <s...@redhat.com> - 2.2.0-7 - Remove dependency on samba4 libs * Wed Jan 11 2012 Rob Crittenden <rcrit...@redhat.com> - 2.2.0-6 -- Set min for mod_auth_kerb to 5.4-9 to pick up s4u2proxy support +- Set min for mod_auth_kerb to 5.4-8 to pick up s4u2proxy support * Tue Jan 10 2012 Alexander Bokovoy <aboko...@redhat.com> - 2.2.0-5 - Fix dependency for samba4-devel package diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index b58bfd7..e33f065 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -174,7 +174,7 @@ objectClass: groupOfPrincipals objectClass: top cn: ipa-http-delegation memberPrincipal: HTTP/$HOST@$REALM -ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX +ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX changetype: add diff --git a/ipa.1 b/ipa.1 index a5592b9..e9946b8 100644 --- a/ipa.1 +++ b/ipa.1 @@ -37,6 +37,9 @@ Load configuration from \fIFILE\fR. \fB\-d\fR, \fB\-\-debug\fR Produce full debugging output. .TP +\fB\-\-\-delegate\fR +Delegate the user's TGT to the IPA server +.TP \fB\-e\fR \fIKEY=VAL\fR Set environmental variable \fIKEY\fR to the value \fIVAL\fR. This option overrides configuration files. .TP diff --git a/ipalib/backend.py b/ipalib/backend.py index 79f1908..7ed378e 100644 --- a/ipalib/backend.py +++ b/ipalib/backend.py @@ -110,7 +110,7 @@ class Executioner(Backend): self.Backend.ldap2.connect(ccache=ccache) else: self.Backend.xmlclient.connect(verbose=(self.env.verbose >= 2), - fallback=self.env.fallback) + fallback=self.env.fallback, delegate=self.env.delegate) if client_ip is not None: setattr(context, "client_ip", client_ip) diff --git a/ipalib/constants.py b/ipalib/constants.py index 7a1e3d2..899c765 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -139,6 +139,7 @@ DEFAULT_CONFIG = ( ('prompt_all', False), ('interactive', True), ('fallback', True), + ('delegate', False), # Enable certain optional plugins: ('enable_ra', False), diff --git a/ipalib/plugable.py b/ipalib/plugable.py index e0b6e7f..4d00110 100644 --- a/ipalib/plugable.py +++ b/ipalib/plugable.py @@ -530,6 +530,9 @@ class API(DictProxy): parser.add_option('-d', '--debug', action='store_true', help='Produce full debuging output', ) + parser.add_option('--delegate', action='store_true', + help='Delegate the TGT to the IPA server', + ) parser.add_option('-v', '--verbose', action='count', help='Produce more verbose output. A second -v displays the XML-RPC request', ) @@ -570,7 +573,7 @@ class API(DictProxy): pass overrides[str(key.strip())] = value.strip() for key in ('conf', 'debug', 'verbose', 'prompt_all', 'interactive', - 'fallback'): + 'fallback', 'delegate'): value = getattr(options, key, None) if value is not None: overrides[key] = value diff --git a/ipalib/rpc.py b/ipalib/rpc.py index abfa44e..d8fee56 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -232,6 +232,7 @@ class KerbTransport(SSLTransport): """ Handles Kerberos Negotiation authentication to an XML-RPC server. """ + flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG def _handle_exception(self, e, service=None): (major, minor) = ipautil.get_gsserror(e) @@ -257,10 +258,7 @@ class KerbTransport(SSLTransport): service = "HTTP@" + host.split(':')[0] try: - (rc, vc) = kerberos.authGSSClientInit(service, - kerberos.GSS_C_DELEG_FLAG | - kerberos.GSS_C_MUTUAL_FLAG | - kerberos.GSS_C_SEQUENCE_FLAG) + (rc, vc) = kerberos.authGSSClientInit(service, self.flags) except kerberos.GSSError, e: self._handle_exception(e) @@ -284,6 +282,14 @@ class KerbTransport(SSLTransport): return (host, extra_headers, x509) +class DelegatedKerbTransport(KerbTransport): + """ + Handles Kerberos Negotiation authentication and TGT delegation to an + XML-RPC server. + """ + flags = kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | \ + kerberos.GSS_C_SEQUENCE_FLAG + class xmlclient(Connectible): """ Forwarding backend plugin for XML-RPC client. @@ -303,7 +309,7 @@ class xmlclient(Connectible): """ if not hasattr(self.conn, '_ServerProxy__transport'): return None - if isinstance(self.conn._ServerProxy__transport, KerbTransport): + if type(self.conn._ServerProxy__transport) in (KerbTransport, DelegatedKerbTransport): scheme = "https" else: scheme = "http" @@ -337,14 +343,18 @@ class xmlclient(Connectible): return servers - def create_connection(self, ccache=None, verbose=False, fallback=True): + def create_connection(self, ccache=None, verbose=False, fallback=True, + delegate=False): servers = self.get_url_list() serverproxy = None for server in servers: kw = dict(allow_none=True, encoding='UTF-8') kw['verbose'] = verbose if server.startswith('https://'): - kw['transport'] = KerbTransport() + if delegate: + kw['transport'] = DelegatedKerbTransport() + else: + kw['transport'] = KerbTransport() else: kw['transport'] = LanguageAwareTransport() self.log.info('trying %s' % server) -- 1.7.6.5
>From aa0d6659a4e5d126f4c59127188ddf4a149d50b1 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Wed, 15 Feb 2012 17:06:54 +0100 Subject: [PATCH] Don't set delegation flag in client, we're using S4U2Proxy now A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246 --- freeipa.spec.in | 13 ++++++------- install/share/bootstrap-template.ldif | 2 +- ipa.1 | 3 +++ ipalib/backend.py | 2 +- ipalib/constants.py | 1 + ipalib/plugable.py | 5 ++++- ipalib/rpc.py | 24 +++++++++++++++++------- 7 files changed, 33 insertions(+), 17 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 198f4a4237eb9f6bfa4ce980448417634bfe316a..541dbeb6effbec26a377ad80cec1179ff3a62515 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -93,17 +93,13 @@ Requires(pre): 389-ds-base >= 1.2.10-0.5.a5 Requires: openldap-clients Requires: nss Requires: nss-tools -%if 0%{?fedora} >= 16 -Requires: krb5-server >= 1.9.1-15 -%else -Requires: krb5-server -%endif +Requires: krb5-server >= 1.9.2-6 Requires: krb5-pkinit-openssl Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd Requires: mod_wsgi -Requires: mod_auth_kerb >= 5.4-9 +Requires: mod_auth_kerb >= 5.4-8 Requires: mod_nss >= 1.0.8-10 Requires: python-ldap Requires: python-krbV @@ -672,8 +668,11 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Tue Jan 31 2012 Rob Crittenden <rcrit...@redhat.com> - 2.99.0-15 +- Set min for krb5-server to 1.9.2-6 to pick up needed s4u2proxy patches + * Wed Jan 11 2012 Rob Crittenden <rcrit...@redhat.com> - 2.99.0-14 -- Set min for mod_auth_kerb to 5.4-9 to pick up s4u2proxy support +- Set min for mod_auth_kerb to 5.4-8 to pick up s4u2proxy support * Fri Dec 9 2011 Alexander Bokovoy <aboko...@redhat.com> - 2.99.0-13 - Fix dependency for samba4-devel package diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index b58bfd7e7b5259336717350731d25e67549a4cd9..e33f06571a5dca1a921b856e9bfa89df887da7d8 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -174,7 +174,7 @@ objectClass: groupOfPrincipals objectClass: top cn: ipa-http-delegation memberPrincipal: HTTP/$HOST@$REALM -ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX +ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX changetype: add diff --git a/ipa.1 b/ipa.1 index a5592b9a6c9a810919e610b4aff59ccd487d6a54..e9946b823cdaf27e9af5b33f24943d686531b009 100644 --- a/ipa.1 +++ b/ipa.1 @@ -37,6 +37,9 @@ Load configuration from \fIFILE\fR. \fB\-d\fR, \fB\-\-debug\fR Produce full debugging output. .TP +\fB\-\-\-delegate\fR +Delegate the user's TGT to the IPA server +.TP \fB\-e\fR \fIKEY=VAL\fR Set environmental variable \fIKEY\fR to the value \fIVAL\fR. This option overrides configuration files. .TP diff --git a/ipalib/backend.py b/ipalib/backend.py index 79f190832b72f3e41ff0d6b0a4dcf619b35ded37..7ed378e888880e1a0a209116ea8b73f8192a1ef5 100644 --- a/ipalib/backend.py +++ b/ipalib/backend.py @@ -110,7 +110,7 @@ class Executioner(Backend): self.Backend.ldap2.connect(ccache=ccache) else: self.Backend.xmlclient.connect(verbose=(self.env.verbose >= 2), - fallback=self.env.fallback) + fallback=self.env.fallback, delegate=self.env.delegate) if client_ip is not None: setattr(context, "client_ip", client_ip) diff --git a/ipalib/constants.py b/ipalib/constants.py index 7a1e3d2ec5b496b3f043ebe1f0b6ce9198a1b159..899c765fab5a2af0d2828cba8b63476c4edf1952 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -139,6 +139,7 @@ DEFAULT_CONFIG = ( ('prompt_all', False), ('interactive', True), ('fallback', True), + ('delegate', False), # Enable certain optional plugins: ('enable_ra', False), diff --git a/ipalib/plugable.py b/ipalib/plugable.py index e0b6e7f968ca16c3fed4667ba1d972edf5262546..4d0011029573df44d8d5e85e0e2b2a3f872c0703 100644 --- a/ipalib/plugable.py +++ b/ipalib/plugable.py @@ -530,6 +530,9 @@ class API(DictProxy): parser.add_option('-d', '--debug', action='store_true', help='Produce full debuging output', ) + parser.add_option('--delegate', action='store_true', + help='Delegate the TGT to the IPA server', + ) parser.add_option('-v', '--verbose', action='count', help='Produce more verbose output. A second -v displays the XML-RPC request', ) @@ -570,7 +573,7 @@ class API(DictProxy): pass overrides[str(key.strip())] = value.strip() for key in ('conf', 'debug', 'verbose', 'prompt_all', 'interactive', - 'fallback'): + 'fallback', 'delegate'): value = getattr(options, key, None) if value is not None: overrides[key] = value diff --git a/ipalib/rpc.py b/ipalib/rpc.py index abfa44e89e5859a7d0d03f0cf34c334ec1d67443..d8fee56395e7f286fa5daf86f0dc80aa242955fc 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -232,6 +232,7 @@ class KerbTransport(SSLTransport): """ Handles Kerberos Negotiation authentication to an XML-RPC server. """ + flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG def _handle_exception(self, e, service=None): (major, minor) = ipautil.get_gsserror(e) @@ -257,10 +258,7 @@ class KerbTransport(SSLTransport): service = "HTTP@" + host.split(':')[0] try: - (rc, vc) = kerberos.authGSSClientInit(service, - kerberos.GSS_C_DELEG_FLAG | - kerberos.GSS_C_MUTUAL_FLAG | - kerberos.GSS_C_SEQUENCE_FLAG) + (rc, vc) = kerberos.authGSSClientInit(service, self.flags) except kerberos.GSSError, e: self._handle_exception(e) @@ -284,6 +282,14 @@ class KerbTransport(SSLTransport): return (host, extra_headers, x509) +class DelegatedKerbTransport(KerbTransport): + """ + Handles Kerberos Negotiation authentication and TGT delegation to an + XML-RPC server. + """ + flags = kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | \ + kerberos.GSS_C_SEQUENCE_FLAG + class xmlclient(Connectible): """ Forwarding backend plugin for XML-RPC client. @@ -303,7 +309,7 @@ class xmlclient(Connectible): """ if not hasattr(self.conn, '_ServerProxy__transport'): return None - if isinstance(self.conn._ServerProxy__transport, KerbTransport): + if type(self.conn._ServerProxy__transport) in (KerbTransport, DelegatedKerbTransport): scheme = "https" else: scheme = "http" @@ -337,14 +343,18 @@ class xmlclient(Connectible): return servers - def create_connection(self, ccache=None, verbose=False, fallback=True): + def create_connection(self, ccache=None, verbose=False, fallback=True, + delegate=False): servers = self.get_url_list() serverproxy = None for server in servers: kw = dict(allow_none=True, encoding='UTF-8') kw['verbose'] = verbose if server.startswith('https://'): - kw['transport'] = KerbTransport() + if delegate: + kw['transport'] = DelegatedKerbTransport() + else: + kw['transport'] = KerbTransport() else: kw['transport'] = LanguageAwareTransport() self.log.info('trying %s' % server) -- 1.7.7.6
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel