While reviewing http://www.freeipa.org/page/V4/Service_Constraint_Delegation#Implementation I found out errors and a potential for misunderstanding about some KDC flags we used.
This fix makes things a lot more clear and hopefully avoid some bad surprises for admins. Simo. -- Simo Sorce * Red Hat, Inc * New York
>From 729adaa8b30fe858b1d19908296cedee9f0b1139 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 8 Jun 2015 14:16:56 -0400 Subject: [PATCH] Fix s4u2proxy README and add warning The attribute mentioned was using an older name that was later changed in the implementation. Also add a prominent warning about the use of the kadmin flags. --- daemons/ipa-kdb/README.s4u2proxy.txt | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-kdb/README.s4u2proxy.txt b/daemons/ipa-kdb/README.s4u2proxy.txt index 92d71bbd3e44c7a0ce97eb1443ce49c3b2f5e447..254fcc4d1c69797b55b54142b8c2b27120a963b3 100644 --- a/daemons/ipa-kdb/README.s4u2proxy.txt +++ b/daemons/ipa-kdb/README.s4u2proxy.txt @@ -31,7 +31,7 @@ principals that are being considered proxies. That is: the principals of the services that want to impersonate client principals against other services. -The ipaAllowedToImpersonate must point to a groupOfPrincipal based +The ipaAllowToImpersonate must point to a groupOfPrincipal based object that contains the list of client principals (normally these are user principals) that can be impersonated by this service. If the attribute is missing than the service is allowed to impersonate @@ -46,7 +46,7 @@ order to allow a service to access it impersonating another principal. At the moment no wildcarding is implemented so services have to be explicitly listed in their respective groups. I have some idea of adding wildcard support at least for the -ipaAllowedToImpersonate group in order to separate user principals by +ipaAllowToImpersonate group in order to separate user principals by REALM. So you can say all users of REALM1 can be impersonated by this service but no users of REALM2. @@ -94,6 +94,15 @@ This is done with: kdamin.local modprinc +ok_to_auth_as_delegate HTTP/ipaserver.example.com +NOTE: Do not grant +ok_to_auth_as_delegate in production without +carefully considering the outcome. This flags grants a service the +ability to impersonate any user to itself, which, combined with the +permission to proxy, means it will be allowed to impersonate any user +to the target service w/o any explicit user permission/delegation. +This flag is *NOT* necessary to permit proxying, it is used in this +example only because the kvno utility is hardwired to test both s4u2self +and s4u2proxy at the same time and would fail to operate without it. + Then run kvno as follows: # Init credntials as HTTP @@ -110,6 +119,9 @@ ldap/ipaserver.example.com If this works it means you successfully impersonated the admin user with the HTTP service against the ldap service. +Cleanup by removing the self-impersonation flag: +modprinc -ok_to_auth_as_delegate HTTP/ipaserver.example.com + Simo. -- 2.4.2
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code