https://fedorahosted.org/freeipa/ticket/4190

To test this on F22 my patch 42 is needed.
--
David Kupka
From 135faa61e0252cc35cca75aa9814610db0883aa4 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Wed, 25 Mar 2015 05:22:03 -0400
Subject: [PATCH] Use mod_auth_gssapi instead of mod_auth_kerb.

https://fedorahosted.org/freeipa/ticket/4190
---
 freeipa.spec.in                |  2 +-
 init/systemd/ipa.conf.tmpfiles |  1 +
 install/conf/ipa.conf          | 28 ++++++++++------------------
 ipalib/session.py              | 20 ++++++++++----------
 ipaserver/rpcserver.py         |  2 +-
 5 files changed, 23 insertions(+), 30 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 7a1ff8b50ef1b462ad14fb2328149c3c2ed2fb38..b9f38f729d8fcec57d73e26352068d50a9d2cecc 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: httpd >= 2.4.6-6
 Requires: mod_wsgi
-Requires: mod_auth_kerb >= 5.4-16
+Requires: mod_auth_gssapi
 Requires: mod_nss >= 1.0.8-26
 Requires: python-ldap >= 2.4.15
 Requires: python-krbV
diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
index 1e7a896ed8df00c97f2d092504e2a65960bb341d..b4503cc673f3407421cd194091f5373ba204a483 100644
--- a/init/systemd/ipa.conf.tmpfiles
+++ b/init/systemd/ipa.conf.tmpfiles
@@ -1,2 +1,3 @@
 d /var/run/ipa_memcached 0700 apache apache
 d /var/run/ipa 0700 root root
+d /var/run/httpd/clientcaches 0700 apache apache
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 7eede73efc559967925d2bbfeee54e1e2efd3e21..1f113756b78446c4d34ca8ea37cacd73deaaf57d 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -3,7 +3,6 @@
 #
 # This file may be overwritten on upgrades.
 #
-# LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
 ProxyRequests Off
 
@@ -61,19 +60,14 @@ WSGIScriptReloading Off
   SetHandler None
 </Location>
 
-KrbConstrainedDelegationLock ipa
-
 # Protect /ipa and everything below it in webspace with Apache Kerberos auth
 <Location "/ipa">
-  AuthType Kerberos
+  AuthType GSSAPI
   AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
-  KrbConstrainedDelegation on
+  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+  GssapiDelegCcacheDir /var/run/httpd/clientcaches
+  GssapiUseS4U2Proxy on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
 </Location>
@@ -176,14 +170,12 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
 
 # Protect our CGIs
 <Directory /var/www/cgi-bin>
-  AuthType Kerberos
+  AuthType GSSAPI
   AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
+  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+  GssapiDelegCcacheDir /var/run/httpd/clientcaches
+  GssapiUseS4U2Proxy on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
 </Directory>
diff --git a/ipalib/session.py b/ipalib/session.py
index ae40fdfe189b3bfd5f0437c04efaab73ac31f88a..2f732b333375c837b931c6b16ccfc535e11d7e4c 100644
--- a/ipalib/session.py
+++ b/ipalib/session.py
@@ -484,7 +484,7 @@ improve authentication performance. First some definitions.
 There are 4 major players:
 
   1. client
-  2. mod_auth_kerb (in Apache process)
+  2. mod_auth_gssapi (in Apache process)
   3. wsgi handler (in IPA wsgi python process)
   4. ds (directory server)
 
@@ -506,12 +506,12 @@ This describes how things work in our current system for the web UI.
 
   2. Client sends post to /ipa/json.
 
-  3. mod_auth_kerb is configured to protect /ipa/json, replies 401
+  3. mod_auth_gssapi is configured to protect /ipa/json, replies 401
      authenticate negotiate.
 
   4. Client resends with credentials
 
-  5. mod_auth_kerb validates credentials
+  5. mod_auth_gssapi validates credentials
 
      a. if invalid replies 403 access denied (stops here)
 
@@ -550,7 +550,7 @@ A few notes about the session implementation.
 Changes to Apache's resource protection
 ---------------------------------------
 
-  * /ipa/json is no longer protected by mod_auth_kerb. This is
+  * /ipa/json is no longer protected by mod_auth_gssapi. This is
     necessary to avoid the negotiate expense in steps 3,4,5
     above. Instead the /ipa/json resource will be protected in our wsgi
     handler via the session cookie.
@@ -583,15 +583,15 @@ The new sequence is:
 
   5. client sends request to /ipa/login to obtain session credentials
 
-  6. mod_auth_kerb replies 401 negotiate on /ipa/login
+  6. mod_auth_gssapi replies 401 negotiate on /ipa/login
 
   7. client sends credentials to /ipa/login
 
-  8. mod_auth_kerb validates credentials
+  8. mod_auth_gssapi validates credentials
 
      a. if valid
 
-        - mod_auth_kerb permits access to /ipa/login. wsgi handler is
+        - mod_auth_gssapi permits access to /ipa/login. wsgi handler is
           invoked and does the following:
 
           * establishes session for client
@@ -600,7 +600,7 @@ The new sequence is:
 
      a. if invalid
 
-        - mod_auth_kerb sends 403 access denied (processing stops)
+        - mod_auth_gssapi sends 403 access denied (processing stops)
 
   9. client now posts the same data again to /ipa/json including
      session cookie. Processing repeats starting at step 2 and since
@@ -617,12 +617,12 @@ and xmlrpc API's are the same, they differ only on how their procedure
 calls are marshalled and unmarshalled.
 
 Under the new scheme /ipa/xml will continue to be Kerberos protected
-at all times. Apache's mod_auth_kerb will continue to require the
+at all times. Apache's mod_auth_gssapi will continue to require the
 client provides valid Kerberos credentials.
 
 When the WSGI handler routes to /ipa/xml the Kerberos credentials will
 be extracted from the KRB5CCNAME environment variable as provided by
-mod_auth_kerb. Everything else remains the same.
+mod_auth_gssapi. Everything else remains the same.
 
 '''
 
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index d6bc955b9d9910a24eec5df1def579310eb54786..4173ed918d2ce992aa79d18b2ac3338b35388918 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -858,7 +858,7 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status):
     def __call__(self, environ, start_response):
         self.debug('WSGI login_kerberos.__call__:')
 
-        # Get the ccache created by mod_auth_kerb
+        # Get the ccache created by mod_auth_gssapi
         user_ccache_name=environ.get('KRB5CCNAME')
         if user_ccache_name is None:
             return self.internal_error(environ, start_response,
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to