On Wed, 2012-05-16 at 15:08 -0700, Thomas Jackson wrote:
> On Tue, May 15, 2012 at 3:24 PM, Simo Sorce <s...@redhat.com> wrote:
>         On Tue, 2012-05-15 at 14:21 -0700, Thomas Jackson wrote:
>         > So going through the documentation it's clearly laid out not
>         to use
>         > kadmin or kadmin.local when using freeipa.  I have been
>         unable to find
>         > how to replace this functionality in the documentation.
>         >
>         > If I could use kadmin.local on my kdc I would like to run
>         the
>         > following command....
>         >
>         > modprinc +requires_hwauth user
>         >
>         > Am I going to need to extend/modify the krb5 schema to
>         modify
>         > principals attributes in this way?
>         >
>         For this specific change you can use kadmin.local, but the IPA
>         UI will
>         not report you anything about it.
>         The flags part is still a weak point of the Web UI, if you
>         want you can
>         open a RFE ticket to ask for better support for these flags,
>         we need to
>         do it at some point we simply haven't yet as we concentrated
>         on more
>         important and pressing issue this far.
>         Simo.
>         --
>         Simo Sorce * Red Hat, Inc * New York
> The following errors lead me to believe I am missing something as
> kadmin.local appears to have access issues when trying to modify a
> principle.
> kadmin.local:  modprinc +requires_hwauth user
> modify_principal: User modification failed: Insufficient access while
> modifying "user".
> For good measure I've modified /var/kerberos/krb5kdc/kadm5.
> acl with the correct ACLs for the domain and still encounter the same
> errors.
> -ipa 2.1.3

Ok I took a second look at how to make it simple.

First of all I misremembered about the fact these flags were saved in
the krbExtraData field. They are not, there is a specific attribute for
all ticket flags that is called krbTicketFlags.

This attribute is normally not set on entries, as the defaults for the
realm are used, however the requires_hwauth flag is not a default and
you want to enable it only for user principals, not all principals on
the server.

That can be easily done by adding the krbTicketFlags attribute.
However in order to do this properly you need to calculate what value to
set based on this (partial) table:

KRB5_KDB_DISALLOW_DUP_SKEY      0x00000020
KRB5_KDB_DISALLOW_ALL_TIX       0x00000040
KRB5_KDB_REQUIRES_PRE_AUTH      0x00000080
KRB5_KDB_REQUIRES_HW_AUTH       0x00000100

The default flag for IPA user is KRB5_KDB_REQUIRES_PRE_AUTH, so in order
to properly set the flag you need to combine it with the flag you want

So 0x0100 + 0x0080 = 0x0180

In decimal 0x0180 becomes 384

So you need to change the entry to set krbTicketFlags to 384

Now, normally I would tell you to do that using the following command:
ipa user-mod <username> --setattr=krbticketflags=384

However, we do restrict even admin from touching that attribute, so you
have 2 options:

1. change the default ACI to allow admin to edit that attribute.
2. do an ldapmodify operation instead using the Directory Manager


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to