As described in #232 start restricting the use of the setkeytab
operation to just the computers objects.

I haven't tested this with older RHEL/CentOS machines that actully use
the setkeytab operation as I do not have such an old VM handy right now.

Meanwhile I'd like to know if ppl agree with this approach.


Simo Sorce * Red Hat, Inc * New York
From 26afe94cea65ba50041592cf31f97b9e0502aeb0 Mon Sep 17 00:00:00 2001
From: Simo Sorce <>
Date: Mon, 25 Jul 2016 06:46:24 -0400
Subject: [PATCH] Restrict the old setkeytab operation

Allow it only to set computers keys by default. This is to allow older hosts
to join a newer IPA Server only. All other principals are denied access to
the setkeytab operation by default.


Signed-off-by: Simo Sorce <>
 daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 13 ++++++++++++-
 install/updates/20-aci.update                           |  5 +++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 3c2c44f6198bf74615fff1ae231a48bed77526ee..48880cdb74d2d12f016905c151f8fa9ad36c6d8a 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -1171,6 +1171,8 @@ done:
     return rc;
+#define SETKEYS_OP_CHECK "ipaProtectedOperation;set_keys"
 /* Password Modify Extended operation plugin function */
 static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
@@ -1238,15 +1240,24 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
         goto free_and_return;
-    /* Accesseck strategy:
+    /* Access check strategy:
      * If the user has WRITE access, a new keytab can be set on the entry.
      * If not, then we fail immediately with insufficient access. This
      * means that we don't leak any useful information to the client such
      * as current password wrong, etc.
+     *
+     * In addition to the historic check, we now also check if the setkeytab
+     * operation is allowed at all.
     allowed_access = is_allowed_to_access_attr(pb, bindDN, targetEntry,
                                                "krbPrincipalKey", NULL,
+    if (allowed_access) {
+        /* check if we are allowed to *set* keys */
+        allowed_access = is_allowed_to_access_attr(pb, bindDN, targetEntry,
+                                                   SETKEYS_OP_CHECK, NULL,
+                                                   SLAPI_ACL_WRITE);
+    }
     if (!allowed_access) {
         LOG_FATAL("Access not allowed to set keytab on [%s]!\n",
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index e9c10f54aadf5062c5a03f0d4b36343079462919..0251a7af9b7520f7164b112d19a59d897226f218 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -114,6 +114,11 @@ add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entit
 add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Admins are allowed to rekey any entity"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
 add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey managed entries"; allow(write) userattr="managedby#USERDN";)
+# Set Keytab operation Access Control - legacy interface for host joins
+dn: cn=computers,cn=accounts,$SUFFIX
+add:aci: (targetattr="ipaProtectedOperation;set_keys")(version 3.0; acl "Installers are allowed to set host keytabs"; allow(write) userattr="managedby#USERDN";)
+add:aci: (targetattr="ipaProtectedOperation;set_keys")(version 3.0; acl "Admins are allowed to set host keytabs"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
 # User certificates
 dn: $SUFFIX
 add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";;)

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA:

Reply via email to