On Wed, 2012-01-04 at 15:11 -0500, Rob Crittenden wrote:
> Alexander Bokovoy wrote:
> > On Wed, 14 Dec 2011, Rob Crittenden wrote:
> >
> >> Dmitri Pal wrote:
> >>> On 12/12/2011 07:15 PM, Simo Sorce wrote:
> >>>> On Mon, 2011-12-12 at 15:22 -0500, Rob Crittenden wrote:
> >>>>> This patch adds support for s4u2proxy. This means that the Apache
> >>>>> server
> >>>>> will obtain the ldap service ticket on behalf of the user rather than
> >>>>> the using having to send their TGT. The user's ticket still needs to
> >>>>> be
> >>>>> forwardable, we just don't require it to be forwarded any more.
> >>>>
> >>>> Should we make the patch allow the old behavior by using a switch that
> >>>> revert to forwarding the TGT ?
> >>>>
> >>>> It would be useful during upgrades if some of your servers still need
> >>>> forwarded TGTs, or if you want to use a newer client against an old
> >>>> server while you have the newer stuff under test.
> >>>> (And to test in general).
> >>>>
> >>>> Simo.
> >>> +1
> >>>
> >>
> >> Updated patch attached.
> >>
> >> rob
> >
> >> > From 03a2c9a536811437e4847e1c6b11d2ac0eff98f2 Mon Sep 17 00:00:00 2001
> >> From: Rob Crittenden<rcrit...@redhat.com>
> >> Date: Thu, 8 Dec 2011 14:23:18 -0500
> >> Subject: [PATCH] Don't set delegation flag in client, we're using S4U2Proxy
> >> now
> >>
> >> A forwardable ticket is still required but we no longer need to send
> >> the TGT to the IPA server. A new flag, --delegation, is available if
> >> the old behavior is required.
> > A minor point: please fix commit message to use proper option name:
> >
> > --delegate
> >
> >> + parser.add_option('--delegate', action='store_true',
> >> + help='Delegate the TGT to the IPA server',
> >> + )
> >
> > Otherwise ACK.
> >
>
> Updated both patches. The first (914) to address Alexander's concern.
> The second to add a new global lock directive. I updated the
> mod_auth_kerb patch based on feedback from the package maintainer.
>
> rob
ACK for patch 914-4. Pushed to master, ipa-2-2.
In reality, it was really sent in the thread for patch 947. I just
renamed it and created a rebased version for master branch. Both patches
are attached.
Martin
>From d78756d9bcaf1d75cc592fc621e25c4d1df980a3 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Thu, 8 Dec 2011 14:23:18 -0500
Subject: [PATCH] Don't set delegation flag in client, we're using S4U2Proxy
now
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.
Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.
https://fedorahosted.org/freeipa/ticket/1098
https://fedorahosted.org/freeipa/ticket/2246
---
freeipa.spec.in | 15 +++++++--------
install/share/bootstrap-template.ldif | 2 +-
ipa.1 | 3 +++
ipalib/backend.py | 2 +-
ipalib/constants.py | 1 +
ipalib/plugable.py | 5 ++++-
ipalib/rpc.py | 24 +++++++++++++++++-------
7 files changed, 34 insertions(+), 18 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6c92747..06e7d9e 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -92,17 +92,13 @@ Requires(pre): 389-ds-base >= 1.2.10-0.5.a5
Requires: openldap-clients
Requires: nss
Requires: nss-tools
-%if 0%{?fedora} >= 16
-Requires: krb5-server >= 1.9.1-15
-%else
-Requires: krb5-server
-%endif
+Requires: krb5-server >= 1.9.2-6
Requires: krb5-pkinit-openssl
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: httpd
Requires: mod_wsgi
-Requires: mod_auth_kerb >= 5.4-9
+Requires: mod_auth_kerb >= 5.4-8
Requires: mod_nss >= 1.0.8-10
Requires: python-ldap
Requires: python-krbV
@@ -665,11 +661,14 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
-* Wed Jan 11 2012 Simo Sorce <s...@redhat.com? - 2.2.0-7
+* Tue Jan 31 2012 Rob Crittenden <rcrit...@redhat.com> - 2.2.0-8
+- Set min for krb5-server to 1.9.2-6 to pick up needed s4u2proxy patches
+
+* Wed Jan 11 2012 Simo Sorce <s...@redhat.com> - 2.2.0-7
- Remove dependency on samba4 libs
* Wed Jan 11 2012 Rob Crittenden <rcrit...@redhat.com> - 2.2.0-6
-- Set min for mod_auth_kerb to 5.4-9 to pick up s4u2proxy support
+- Set min for mod_auth_kerb to 5.4-8 to pick up s4u2proxy support
* Tue Jan 10 2012 Alexander Bokovoy <aboko...@redhat.com> - 2.2.0-5
- Fix dependency for samba4-devel package
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index b58bfd7..e33f065 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -174,7 +174,7 @@ objectClass: groupOfPrincipals
objectClass: top
cn: ipa-http-delegation
memberPrincipal: HTTP/$HOST@$REALM
-ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX
+ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
changetype: add
diff --git a/ipa.1 b/ipa.1
index a5592b9..e9946b8 100644
--- a/ipa.1
+++ b/ipa.1
@@ -37,6 +37,9 @@ Load configuration from \fIFILE\fR.
\fB\-d\fR, \fB\-\-debug\fR
Produce full debugging output.
.TP
+\fB\-\-\-delegate\fR
+Delegate the user's TGT to the IPA server
+.TP
\fB\-e\fR \fIKEY=VAL\fR
Set environmental variable \fIKEY\fR to the value \fIVAL\fR. This option overrides configuration files.
.TP
diff --git a/ipalib/backend.py b/ipalib/backend.py
index 79f1908..7ed378e 100644
--- a/ipalib/backend.py
+++ b/ipalib/backend.py
@@ -110,7 +110,7 @@ class Executioner(Backend):
self.Backend.ldap2.connect(ccache=ccache)
else:
self.Backend.xmlclient.connect(verbose=(self.env.verbose >= 2),
- fallback=self.env.fallback)
+ fallback=self.env.fallback, delegate=self.env.delegate)
if client_ip is not None:
setattr(context, "client_ip", client_ip)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 7a1e3d2..899c765 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -139,6 +139,7 @@ DEFAULT_CONFIG = (
('prompt_all', False),
('interactive', True),
('fallback', True),
+ ('delegate', False),
# Enable certain optional plugins:
('enable_ra', False),
diff --git a/ipalib/plugable.py b/ipalib/plugable.py
index e0b6e7f..4d00110 100644
--- a/ipalib/plugable.py
+++ b/ipalib/plugable.py
@@ -530,6 +530,9 @@ class API(DictProxy):
parser.add_option('-d', '--debug', action='store_true',
help='Produce full debuging output',
)
+ parser.add_option('--delegate', action='store_true',
+ help='Delegate the TGT to the IPA server',
+ )
parser.add_option('-v', '--verbose', action='count',
help='Produce more verbose output. A second -v displays the XML-RPC request',
)
@@ -570,7 +573,7 @@ class API(DictProxy):
pass
overrides[str(key.strip())] = value.strip()
for key in ('conf', 'debug', 'verbose', 'prompt_all', 'interactive',
- 'fallback'):
+ 'fallback', 'delegate'):
value = getattr(options, key, None)
if value is not None:
overrides[key] = value
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index abfa44e..d8fee56 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -232,6 +232,7 @@ class KerbTransport(SSLTransport):
"""
Handles Kerberos Negotiation authentication to an XML-RPC server.
"""
+ flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG
def _handle_exception(self, e, service=None):
(major, minor) = ipautil.get_gsserror(e)
@@ -257,10 +258,7 @@ class KerbTransport(SSLTransport):
service = "HTTP@" + host.split(':')[0]
try:
- (rc, vc) = kerberos.authGSSClientInit(service,
- kerberos.GSS_C_DELEG_FLAG |
- kerberos.GSS_C_MUTUAL_FLAG |
- kerberos.GSS_C_SEQUENCE_FLAG)
+ (rc, vc) = kerberos.authGSSClientInit(service, self.flags)
except kerberos.GSSError, e:
self._handle_exception(e)
@@ -284,6 +282,14 @@ class KerbTransport(SSLTransport):
return (host, extra_headers, x509)
+class DelegatedKerbTransport(KerbTransport):
+ """
+ Handles Kerberos Negotiation authentication and TGT delegation to an
+ XML-RPC server.
+ """
+ flags = kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | \
+ kerberos.GSS_C_SEQUENCE_FLAG
+
class xmlclient(Connectible):
"""
Forwarding backend plugin for XML-RPC client.
@@ -303,7 +309,7 @@ class xmlclient(Connectible):
"""
if not hasattr(self.conn, '_ServerProxy__transport'):
return None
- if isinstance(self.conn._ServerProxy__transport, KerbTransport):
+ if type(self.conn._ServerProxy__transport) in (KerbTransport, DelegatedKerbTransport):
scheme = "https"
else:
scheme = "http"
@@ -337,14 +343,18 @@ class xmlclient(Connectible):
return servers
- def create_connection(self, ccache=None, verbose=False, fallback=True):
+ def create_connection(self, ccache=None, verbose=False, fallback=True,
+ delegate=False):
servers = self.get_url_list()
serverproxy = None
for server in servers:
kw = dict(allow_none=True, encoding='UTF-8')
kw['verbose'] = verbose
if server.startswith('https://'):
- kw['transport'] = KerbTransport()
+ if delegate:
+ kw['transport'] = DelegatedKerbTransport()
+ else:
+ kw['transport'] = KerbTransport()
else:
kw['transport'] = LanguageAwareTransport()
self.log.info('trying %s' % server)
--
1.7.6.5
>From aa0d6659a4e5d126f4c59127188ddf4a149d50b1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 15 Feb 2012 17:06:54 +0100
Subject: [PATCH] Don't set delegation flag in client, we're using S4U2Proxy
now
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.
Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.
https://fedorahosted.org/freeipa/ticket/1098
https://fedorahosted.org/freeipa/ticket/2246
---
freeipa.spec.in | 13 ++++++-------
install/share/bootstrap-template.ldif | 2 +-
ipa.1 | 3 +++
ipalib/backend.py | 2 +-
ipalib/constants.py | 1 +
ipalib/plugable.py | 5 ++++-
ipalib/rpc.py | 24 +++++++++++++++++-------
7 files changed, 33 insertions(+), 17 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 198f4a4237eb9f6bfa4ce980448417634bfe316a..541dbeb6effbec26a377ad80cec1179ff3a62515 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -93,17 +93,13 @@ Requires(pre): 389-ds-base >= 1.2.10-0.5.a5
Requires: openldap-clients
Requires: nss
Requires: nss-tools
-%if 0%{?fedora} >= 16
-Requires: krb5-server >= 1.9.1-15
-%else
-Requires: krb5-server
-%endif
+Requires: krb5-server >= 1.9.2-6
Requires: krb5-pkinit-openssl
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: httpd
Requires: mod_wsgi
-Requires: mod_auth_kerb >= 5.4-9
+Requires: mod_auth_kerb >= 5.4-8
Requires: mod_nss >= 1.0.8-10
Requires: python-ldap
Requires: python-krbV
@@ -672,8 +668,11 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Tue Jan 31 2012 Rob Crittenden <rcrit...@redhat.com> - 2.99.0-15
+- Set min for krb5-server to 1.9.2-6 to pick up needed s4u2proxy patches
+
* Wed Jan 11 2012 Rob Crittenden <rcrit...@redhat.com> - 2.99.0-14
-- Set min for mod_auth_kerb to 5.4-9 to pick up s4u2proxy support
+- Set min for mod_auth_kerb to 5.4-8 to pick up s4u2proxy support
* Fri Dec 9 2011 Alexander Bokovoy <aboko...@redhat.com> - 2.99.0-13
- Fix dependency for samba4-devel package
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index b58bfd7e7b5259336717350731d25e67549a4cd9..e33f06571a5dca1a921b856e9bfa89df887da7d8 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -174,7 +174,7 @@ objectClass: groupOfPrincipals
objectClass: top
cn: ipa-http-delegation
memberPrincipal: HTTP/$HOST@$REALM
-ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX
+ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
changetype: add
diff --git a/ipa.1 b/ipa.1
index a5592b9a6c9a810919e610b4aff59ccd487d6a54..e9946b823cdaf27e9af5b33f24943d686531b009 100644
--- a/ipa.1
+++ b/ipa.1
@@ -37,6 +37,9 @@ Load configuration from \fIFILE\fR.
\fB\-d\fR, \fB\-\-debug\fR
Produce full debugging output.
.TP
+\fB\-\-\-delegate\fR
+Delegate the user's TGT to the IPA server
+.TP
\fB\-e\fR \fIKEY=VAL\fR
Set environmental variable \fIKEY\fR to the value \fIVAL\fR. This option overrides configuration files.
.TP
diff --git a/ipalib/backend.py b/ipalib/backend.py
index 79f190832b72f3e41ff0d6b0a4dcf619b35ded37..7ed378e888880e1a0a209116ea8b73f8192a1ef5 100644
--- a/ipalib/backend.py
+++ b/ipalib/backend.py
@@ -110,7 +110,7 @@ class Executioner(Backend):
self.Backend.ldap2.connect(ccache=ccache)
else:
self.Backend.xmlclient.connect(verbose=(self.env.verbose >= 2),
- fallback=self.env.fallback)
+ fallback=self.env.fallback, delegate=self.env.delegate)
if client_ip is not None:
setattr(context, "client_ip", client_ip)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 7a1e3d2ec5b496b3f043ebe1f0b6ce9198a1b159..899c765fab5a2af0d2828cba8b63476c4edf1952 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -139,6 +139,7 @@ DEFAULT_CONFIG = (
('prompt_all', False),
('interactive', True),
('fallback', True),
+ ('delegate', False),
# Enable certain optional plugins:
('enable_ra', False),
diff --git a/ipalib/plugable.py b/ipalib/plugable.py
index e0b6e7f968ca16c3fed4667ba1d972edf5262546..4d0011029573df44d8d5e85e0e2b2a3f872c0703 100644
--- a/ipalib/plugable.py
+++ b/ipalib/plugable.py
@@ -530,6 +530,9 @@ class API(DictProxy):
parser.add_option('-d', '--debug', action='store_true',
help='Produce full debuging output',
)
+ parser.add_option('--delegate', action='store_true',
+ help='Delegate the TGT to the IPA server',
+ )
parser.add_option('-v', '--verbose', action='count',
help='Produce more verbose output. A second -v displays the XML-RPC request',
)
@@ -570,7 +573,7 @@ class API(DictProxy):
pass
overrides[str(key.strip())] = value.strip()
for key in ('conf', 'debug', 'verbose', 'prompt_all', 'interactive',
- 'fallback'):
+ 'fallback', 'delegate'):
value = getattr(options, key, None)
if value is not None:
overrides[key] = value
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index abfa44e89e5859a7d0d03f0cf34c334ec1d67443..d8fee56395e7f286fa5daf86f0dc80aa242955fc 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -232,6 +232,7 @@ class KerbTransport(SSLTransport):
"""
Handles Kerberos Negotiation authentication to an XML-RPC server.
"""
+ flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG
def _handle_exception(self, e, service=None):
(major, minor) = ipautil.get_gsserror(e)
@@ -257,10 +258,7 @@ class KerbTransport(SSLTransport):
service = "HTTP@" + host.split(':')[0]
try:
- (rc, vc) = kerberos.authGSSClientInit(service,
- kerberos.GSS_C_DELEG_FLAG |
- kerberos.GSS_C_MUTUAL_FLAG |
- kerberos.GSS_C_SEQUENCE_FLAG)
+ (rc, vc) = kerberos.authGSSClientInit(service, self.flags)
except kerberos.GSSError, e:
self._handle_exception(e)
@@ -284,6 +282,14 @@ class KerbTransport(SSLTransport):
return (host, extra_headers, x509)
+class DelegatedKerbTransport(KerbTransport):
+ """
+ Handles Kerberos Negotiation authentication and TGT delegation to an
+ XML-RPC server.
+ """
+ flags = kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | \
+ kerberos.GSS_C_SEQUENCE_FLAG
+
class xmlclient(Connectible):
"""
Forwarding backend plugin for XML-RPC client.
@@ -303,7 +309,7 @@ class xmlclient(Connectible):
"""
if not hasattr(self.conn, '_ServerProxy__transport'):
return None
- if isinstance(self.conn._ServerProxy__transport, KerbTransport):
+ if type(self.conn._ServerProxy__transport) in (KerbTransport, DelegatedKerbTransport):
scheme = "https"
else:
scheme = "http"
@@ -337,14 +343,18 @@ class xmlclient(Connectible):
return servers
- def create_connection(self, ccache=None, verbose=False, fallback=True):
+ def create_connection(self, ccache=None, verbose=False, fallback=True,
+ delegate=False):
servers = self.get_url_list()
serverproxy = None
for server in servers:
kw = dict(allow_none=True, encoding='UTF-8')
kw['verbose'] = verbose
if server.startswith('https://'):
- kw['transport'] = KerbTransport()
+ if delegate:
+ kw['transport'] = DelegatedKerbTransport()
+ else:
+ kw['transport'] = KerbTransport()
else:
kw['transport'] = LanguageAwareTransport()
self.log.info('trying %s' % server)
--
1.7.7.6
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
