Hi, please find the design page for ticket https://fedorahosted.org/freeipa/ticket/2960 at http://freeipa.org/page/V3/Read_and_use_per_service_pac_type or below.
There are some questions in the text. bye, Sumit = Overview = In ticket #2184 a new option --pac_type was introduced to ipa service-mod to individually set the PAC type for each service ticket. The allowed values are: * MS-PAC, the PAC used by Microsoft and specified in * http://msdn.microsoft.com/en-us/library/cc237917.aspx * PAD, Posix Authorization Data, currently work in progress, draft can * be found at http://tools.ietf.org/html/draft-ietf-krb-wg-pad-01 * NONE, do not add any authorization data to the ticket If the attribute is not set the default values specified in the ipakrbauthzdata attribute of the ipaConfig object is used. ''Question: What about modifying ipaKrbAuthzData for host objects? Currently I think it is only possible with --setattr.'' ''Question: Since ipakrbauthzdata is optional in the ipaGuiConfig objectclass, someone might delete it manually, which hardcoded default do we want to use in this case?'' ''Question: Since ipakrbauthzdata is a multi-value attribute how should the case handled where on value is 'NONE'? I assume 'NONE' wins in this case.' = Use Cases = * For services which do not use the authorization data from the PAC the * PAC type can be set to 'NONE'. This will keep the tickets smaller and * avoids unneeded load on the FreeIPA server during the PAC processing. * For services which can only handle Kerberos tickets up to a maximal * size, e.g. NFS, see #3263, the PAC type should be set to 'NONE'. The * authorization data in the PAC can become quite large and can make the * Kerberos ticket grow larger than the service can handle * For services which cannot handle the default PAC type but need a * different one. (This is for future versions since currently only the * MS-PAC is supported) = Design= Since the UI/CLI changes were already handled by #2184 no additional user interaction is needed here. For the needed changes to the IPA KDC backend the changes done to fix #3263 can be used as a starting point. = Implementation = To avoid issues during upgrade I think all changes done to fix #3263 should be preserved, i.e. the NFS service will have a hardcoded default 'NONE'. Otherwise the LDAP objects of the NFS services must be modified during upgrade. In ipadb_sign_authdata() a call like <pre> ret = get_service_pac_type(server->princ, &pac_type); </pre> can be added, where get_service_pac_type() runs a LDAP search with a filter like '(&(objectclass=ipaService)(krbPrincipalName=SERVER_PRINCIPAL))' which looks for the ipakrbauthzdata attribute. = Feature Managment = === UI === UI related changes were added by ticket #2184. ''Question: it looks like the PAC type cannot be explicitly set to 'NONE' in the UI, I guess this needs fixing?'' === CLI === CLI related changes were added by ticket #2184. = Major configuration options and enablement = This feature does not need any options and is enabled by default. The behaviour is controlled by the value of the ipaKrbAuthzData of the service object and the ipaConfig object. = Replication = Changes only affect the KDC IPA backend. If not all server and replicas are updated with this feature KDCs which are not updated might still return Kerberos tickets with the default PAC type although there is a different one mentioned in the service object. = Updates and Upgrades = Any impact on the updates and upgrades? = Dependencies = This feature does not add any new dependencies. = External Impact = The changes will only touch the KDC IPA backend, no external impact is expected. = RFE Author = [[User:Sbose|Sumit Bose]] _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
