On 07/14/2015 01:31 PM, Alexander Bokovoy wrote:
> Hi!
> An SELinux policy we need for one-way trust is now in Fedora
> updates-testing repository.
> Attached patch adds support for 'httpd_run_ipa' SELinux boolean.
> Below is how one-way trust is using the communication with oddjobd (it
> is a slightly fixed copy of the description of bug
> https://bugzilla.redhat.com/show_bug.cgi?id=1238165 for SELinux policy):
> -------------------------------------------------------------------
> In FreeIPA 4.2 we added support to establish one-way trust to Active
> Directory. As a consequence of this, we need to change how certain
> operations against AD LDAP are performed. Right now we are using a
> feature of bi-directional cross-realm Kerberos trust: we authenticate as
> HTTP/ipa.master@IPA.REALM from within Apache process and then talk to
> ldap/ad.dc@AD.REALM or to cifs/ad.dc@AD.REALM services in AD.
> With one-way trust we cannot use this approach anymore because there is
> no cross-realm Kerberos trust from IPA to AD, only the other way around.
> Instead, there is an object in AD LDAP which represents IPA and we have
> to authenticate as this object.
> Access to this object is highly regulated (by us) because possession of
> the trust domain object (TDO) credentials impersonates whole trust link.
> Thus, we want to avoid authenticating as TDO within Apache process.
> To achieve this I've implemented a scheme similar to oddjob-mkhomedir,
> by providing a helper script which is executed by oddjobd on request
> from Apache:
> Apache process sends DBus request to oddjobd daemon. Oddjobd daemon
> executes an IPA helper. IPA helper accesses /etc/samba/samba.keytab and
> authenticates as cifs/ipa.master@IPA.REALM. It then fetches TDO
> credentials from IPA LDAP and authenticates with them to AD DC. Once
> operation is performed, it connects again to IPA LDAP and updates it.
> Now, there are several moving parts here:
> 1. /etc/samba/samba.keytab is root:root, 0600,
> unconfined_u:object_r:samba_etc_t:s0
>    It is created by /usr/sbin/ipa-adtrust-install
> 2. /var/lib/sss/keytabs/ad.test.keytab is sssd:sssd, 0600,
> unconfined_u:object_r:sssd_var_lib_t:s0
>    It can be created by IPA helper or by SSSD, whoever runs into need
>    of the keytab first. The name is dependent on the AD forest root
>    name (ad.test in my case).
> 3. /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains is root:root, 0755,
>    system_u:object_r:ipa_helper_exec_t:s0 label.
>    It is the IPA helper oddjobd daemon will be calling in response to
> Apache request.
>    The helper is written in Python.
> 4. /var/run/ipa/krb5cc_oddjob_trusts{,_fetch} -- credential caches used
> by the helper.
>    They are root:root, 0600, system_u:object_r:ipa_var_run_t:s0 label.
> 5. oddjobd daemon runs under system_u:system_r:oddjob_t:s0-s0:c0.c1023
> context.
> ---------------------------------------------------------------------------------


Pushed to:
master: 706c00361544a8255c4c05b253e5e9969187a68c
ipa-4-2: 5b9ea329cef4d976694794f1b1b91714f6ac07c2

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to