This addresses #3860, giving admins the option to not require preauth
for Hosts and services.

I did not add this option by default, although it does reduce the load
on the KDC as well as speed up TGT acquisition for service principal
accounts that acquire TGTs.

Tested and working as expected (SPNs are not returned PREAUTH_NEEDED
error while normal users are).

HTH,
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From fb0f48de69d56e27c68bd617c839454ee9b57c07 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Tue, 24 Nov 2015 15:39:08 -0500
Subject: [PATCH 3/3] Allow admins to disable preauth for SPNs.

Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.

This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.

Signed-off-by: Simo Sorce <s...@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/3860
---
 API.txt                              |  2 +-
 daemons/ipa-kdb/ipa_kdb.c            |  9 +++++----
 daemons/ipa-kdb/ipa_kdb.h            |  1 +
 daemons/ipa-kdb/ipa_kdb_principals.c | 23 +++++++++++++++++++++--
 ipalib/plugins/config.py             |  3 ++-
 5 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/API.txt b/API.txt
index 9a7a23f0d6e3efcdaa355e15a37e8879d8f030d7..70a5b018429533f0ade1271bbe0cea9bdbf457dc 100644
--- a/API.txt
+++ b/API.txt
@@ -766,7 +766,7 @@ args: 0,25,3
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('delattr*', cli_name='delattr', exclude='webui')
-option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'DisableSetKeytab', u'DisableUserSetKeytab', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
+option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'DisableSetKeytab', u'DisableUserSetKeytab', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs'))
 option: Str('ipadefaultemaildomain', attribute=True, autofill=False, cli_name='emaildomain', multivalue=False, required=False)
 option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False)
 option: Str('ipadefaultprimarygroup', attribute=True, autofill=False, cli_name='defaultgroup', multivalue=False, required=False)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 3d5e1568020b97fc089f9b59fb6625fccebf3a51..fbcb03beeac621e71b67dc76688e21cb23f2cc28 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -261,12 +261,13 @@ static int ipadb_load_global_config(struct ipadb_context *ipactx)
                             vals[i]->bv_val, vals[i]->bv_len) == 0) {
                 ipactx->config.disable_last_success = true;
                 continue;
-            }
-
-            if (strncasecmp("KDC:Disable Lockout",
-                            vals[i]->bv_val, vals[i]->bv_len) == 0) {
+            } else if (strncasecmp("KDC:Disable Lockout",
+                                   vals[i]->bv_val, vals[i]->bv_len) == 0) {
                 ipactx->config.disable_lockout = true;
                 continue;
+            } else if (strncasecmp("KDC:Disable Default Preauth for SPNs",
+                                   vals[i]->bv_val, vals[i]->bv_len) == 0) {
+                ipactx->config.disable_preauth_for_spns = true;
             }
         }
     }
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index a6f448150cca2f6918b9de52c049dcb54a7da7ba..1fdb409df92f1f8d9a82af3423e6e73313c62ab7 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -93,6 +93,7 @@ struct ipadb_global_config {
 	bool disable_lockout;
 	char **authz_data;
 	enum ipadb_user_auth user_auth;
+    bool disable_preauth_for_spns;
 };
 
 struct ipadb_context {
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index f2a5a417e1e9d00a3c8c338c41a95a77de4e5b95..1f9b14a6aba673d0a2a4188af76b7fb391aa1cbd 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -911,6 +911,25 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
     return 0;
 }
 
+static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
+                                        krb5_db_entry *entry)
+{
+    const struct ipadb_global_config *config;
+    struct ipadb_e_data *ied;
+
+    config = ipadb_get_global_config(ipactx);
+    if (config->disable_preauth_for_spns) {
+        ied = (struct ipadb_e_data *)entry->e_data;
+        if (ied && ied->ipa_user != true) {
+            /* not a user, assume SPN */
+            return 0;
+        }
+    }
+
+    /* By default require preauth for all principals */
+    return KRB5_KDB_REQUIRES_PRE_AUTH;
+}
+
 static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
                                              LDAPMessage *lentry,
                                              krb5_db_entry *entry,
@@ -981,7 +1000,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
                 if (ret == 0) {
                     entry->attributes |= result;
                 } else {
-                    entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH;
+                    entry->attributes |= maybe_require_preauth(ipactx, entry);
                 }
             }
         }
@@ -997,7 +1016,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
             entry->max_renewable_life = 604800;
         }
         if (polmask & TKTFLAGS_BIT) {
-            entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH;
+            entry->attributes |= maybe_require_preauth(ipactx, entry);
         }
 
         kerr = 0;
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index a6b4d4349a9ac6de453d9ad3c679ec32add4e43b..5d29129803b4d935f4f788caa6fd61fd85db6fe8 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -202,7 +202,8 @@ class config(LDAPObject):
             doc=_('Extra hashes to generate in password plug-in'),
             values=(u'AllowNThash',
                     u'DisableSetKeytab', u'DisableUserSetKeytab',
-                    u'KDC:Disable Last Success', u'KDC:Disable Lockout'),
+                    u'KDC:Disable Last Success', u'KDC:Disable Lockout',
+                    u'KDC:Disable Default Preauth for SPNs'),
             csv=True,
         ),
         Str('ipaselinuxusermaporder',
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to