On Tue, 2015-12-01 at 15:59 +0100, Martin Babinsky wrote:
> On 11/30/2015 07:42 PM, Simo Sorce wrote:
> > On Wed, 2015-11-25 at 10:33 +0100, Martin Babinsky wrote:
> >> On 11/24/2015 10:20 PM, Simo Sorce wrote:
> >>> This addresses #3860, giving admins the option to not require preauth
> >>> for Hosts and services.
> >>>
> >>> I did not add this option by default, although it does reduce the load
> >>> on the KDC as well as speed up TGT acquisition for service principal
> >>> accounts that acquire TGTs.
> >>>
> >>> Tested and working as expected (SPNs are not returned PREAUTH_NEEDED
> >>> error while normal users are).
> >>>
> >>> HTH,
> >>> Simo.
> >>>
> >>>
> >>>
> >> Hi Simo,
> >>
> >> I was not able to apply the patch on current master branch:
> >>
> >> """
> >> git am
> >> ../review/ssorce/3860/freeipa-simo-558-1-Allow-admins-to-disable-preauth-for-SPNs.patch
> >> -3
> >>
> >> Applying: Allow admins to disable preauth for SPNs.
> >> error: invalid object 100644 a6b4d4349a9ac6de453d9ad3c679ec32add4e43b
> >> for 'ipalib/plugins/config.py'
> >> fatal: git-write-tree: error building trees
> >> Repository lacks necessary blobs to fall back on 3-way merge.
> >> Cannot fall back to three-way merge.
> >> Patch failed at 0001 Allow admins to disable preauth for SPNs.
> >> """
> >>
> >> It seems that I nedd to apply some of your other patches first (which one?)
> >
> > Sorry did not see this question earlier, it requires 556 and 557, I just
> > bumped that thread.
> >
> > Simo.
> >
> It seems that I need something else, patch 556-2 applies cleanly, but 
> patch 557-3 fails with http://fpaste.org/296230/89819431/ on both master 
> and 4-2 branch.
> 

Rebased 556,557 in their thread, and here is the rebase for 558 on top
of them.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
From 0171bf3a84377f9fa43bc9dbcaf29c111f2f7f54 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Tue, 24 Nov 2015 15:39:08 -0500
Subject: [PATCH] Allow admins to disable preauth for SPNs.

Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.

This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.

Signed-off-by: Simo Sorce <s...@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/3860
---
 API.txt                              |  2 +-
 daemons/ipa-kdb/ipa_kdb.c            |  9 +++++----
 daemons/ipa-kdb/ipa_kdb.h            |  1 +
 daemons/ipa-kdb/ipa_kdb_principals.c | 23 +++++++++++++++++++++--
 ipalib/plugins/config.py             |  3 ++-
 5 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/API.txt b/API.txt
index f1daa7dfc90b52151d454bc948941569905c1a7a..d4134b28788cb9a81466ac3cf5d18cfc10e73511 100644
--- a/API.txt
+++ b/API.txt
@@ -766,7 +766,7 @@ args: 0,25,3
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('delattr*', cli_name='delattr', exclude='webui')
-option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'DisableSetKeytab', u'DisableUserSetKeytab', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
+option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'DisableSetKeytab', u'DisableUserSetKeytab', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs'))
 option: Str('ipadefaultemaildomain', attribute=True, autofill=False, cli_name='emaildomain', multivalue=False, required=False)
 option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False)
 option: Str('ipadefaultprimarygroup', attribute=True, autofill=False, cli_name='defaultgroup', multivalue=False, required=False)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 3d5e1568020b97fc089f9b59fb6625fccebf3a51..fbcb03beeac621e71b67dc76688e21cb23f2cc28 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -261,12 +261,13 @@ static int ipadb_load_global_config(struct ipadb_context *ipactx)
                             vals[i]->bv_val, vals[i]->bv_len) == 0) {
                 ipactx->config.disable_last_success = true;
                 continue;
-            }
-
-            if (strncasecmp("KDC:Disable Lockout",
-                            vals[i]->bv_val, vals[i]->bv_len) == 0) {
+            } else if (strncasecmp("KDC:Disable Lockout",
+                                   vals[i]->bv_val, vals[i]->bv_len) == 0) {
                 ipactx->config.disable_lockout = true;
                 continue;
+            } else if (strncasecmp("KDC:Disable Default Preauth for SPNs",
+                                   vals[i]->bv_val, vals[i]->bv_len) == 0) {
+                ipactx->config.disable_preauth_for_spns = true;
             }
         }
     }
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index a6f448150cca2f6918b9de52c049dcb54a7da7ba..1fdb409df92f1f8d9a82af3423e6e73313c62ab7 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -93,6 +93,7 @@ struct ipadb_global_config {
 	bool disable_lockout;
 	char **authz_data;
 	enum ipadb_user_auth user_auth;
+    bool disable_preauth_for_spns;
 };
 
 struct ipadb_context {
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 629f8193223c924267f6d5f39d258cfbc51c7f63..e32be856a9ef7a5f40f02d1d19fc689553ebf623 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -921,6 +921,25 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
     return 0;
 }
 
+static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
+                                        krb5_db_entry *entry)
+{
+    const struct ipadb_global_config *config;
+    struct ipadb_e_data *ied;
+
+    config = ipadb_get_global_config(ipactx);
+    if (config->disable_preauth_for_spns) {
+        ied = (struct ipadb_e_data *)entry->e_data;
+        if (ied && ied->ipa_user != true) {
+            /* not a user, assume SPN */
+            return 0;
+        }
+    }
+
+    /* By default require preauth for all principals */
+    return KRB5_KDB_REQUIRES_PRE_AUTH;
+}
+
 static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
                                              LDAPMessage *lentry,
                                              krb5_db_entry *entry,
@@ -991,7 +1010,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
                 if (ret == 0) {
                     entry->attributes |= result;
                 } else {
-                    entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH;
+                    entry->attributes |= maybe_require_preauth(ipactx, entry);
                 }
             }
         }
@@ -1007,7 +1026,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
             entry->max_renewable_life = 604800;
         }
         if (polmask & TKTFLAGS_BIT) {
-            entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH;
+            entry->attributes |= maybe_require_preauth(ipactx, entry);
         }
 
         kerr = 0;
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index a6b4d4349a9ac6de453d9ad3c679ec32add4e43b..5d29129803b4d935f4f788caa6fd61fd85db6fe8 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -202,7 +202,8 @@ class config(LDAPObject):
             doc=_('Extra hashes to generate in password plug-in'),
             values=(u'AllowNThash',
                     u'DisableSetKeytab', u'DisableUserSetKeytab',
-                    u'KDC:Disable Last Success', u'KDC:Disable Lockout'),
+                    u'KDC:Disable Last Success', u'KDC:Disable Lockout',
+                    u'KDC:Disable Default Preauth for SPNs'),
             csv=True,
         ),
         Str('ipaselinuxusermaporder',
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to