Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 06/23/2015 08:58 PM, Nathaniel McCallum wrote: On Jun 23, 2015, at 2:55 PM, Simo Sorce wrote: On Tue, 2015-06-23 at 18:51 +0200, Christian Heimes wrote: +WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \ + process-group=kdcproxy application-group=kdcproxy +WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py I find sticking an application in __init__.py a bit questionable, but that's in kdcproxy and not your code. Nathaniel, can you chnage that in future ? Or maybe we can do it now ? We should really have something like /usr/sbin/wsgi_kscproxy.py or /usr/libexec/kdcproxy/kdcproxy.py or similar, not something snook into a __init__.py file down there. Everything else looks ok to me. I think it is a valid upstream question. If we change that upstream, we can update FreeIPA. Alright, let’s ride this patch all the way to ACK-town. Nathaniel Pushed to master: 495da412f155603c02907187c21dd4511281df2c -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
> On Jun 23, 2015, at 2:55 PM, Simo Sorce wrote: > > On Tue, 2015-06-23 at 18:51 +0200, Christian Heimes wrote: >> +WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \ >> + process-group=kdcproxy application-group=kdcproxy >> +WSGIScriptAlias /KdcProxy >> /usr/lib/python2.7/site-packages/kdcproxy/__init__.py > > I find sticking an application in __init__.py a bit questionable, but > that's in kdcproxy and not your code. > Nathaniel, can you chnage that in future ? Or maybe we can do it now ? > > We should really have something like /usr/sbin/wsgi_kscproxy.py > or /usr/libexec/kdcproxy/kdcproxy.py or similar, not something snook > into a __init__.py file down there. > > Everything else looks ok to me. I think it is a valid upstream question. If we change that upstream, we can update FreeIPA. Alright, let’s ride this patch all the way to ACK-town. Nathaniel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On Tue, 2015-06-23 at 18:51 +0200, Christian Heimes wrote: > +WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \ > + process-group=kdcproxy application-group=kdcproxy > +WSGIScriptAlias /KdcProxy > /usr/lib/python2.7/site-packages/kdcproxy/__init__.py I find sticking an application in __init__.py a bit questionable, but that's in kdcproxy and not your code. Nathaniel, can you chnage that in future ? Or maybe we can do it now ? We should really have something like /usr/sbin/wsgi_kscproxy.py or /usr/libexec/kdcproxy/kdcproxy.py or similar, not something snook into a __init__.py file down there. Everything else looks ok to me. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
I’m sold. ACK Simo, speak now or forever hold your peace (or patch it later). > On Jun 23, 2015, at 2:20 PM, Christian Heimes wrote: > > On 2015-06-23 19:55, Nathaniel McCallum wrote: >> The behavior I'm worried about here is this: >> 1. Admin installs or updates FreeIPA (w/ kdcproxy) >> 2. Admin disables kdcproxy >> 3. Admin updates to the next version >> >> After step #3, is kdcproxy enabled or disabled? I don't have a clear answer >> to this (or at least I'm not seeing it). >> >> Other than this, I'm happy. So if we can answer this, it is an ack from me. > > That is covered by the check is_kdcproxy_configured(). It checks for the > presence of a file. That file is created during installation or at the > first update. > > > Let's see if the check works. At first I'm disabling kdcproxy: > > # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif > Parsing update file '/usr/share/ipa/kdcproxy-disable.uldif' > Updating existing entry: > cn=KDC,cn=vm-164.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example > Done > Update complete > The ipa-ldap-updater command was successful > > # systemctl restart httpd.service > > # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy > > > 404 Not Found > > Not Found > The requested URL /KdcProxy was not found on this server. > > > # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf > stat: cannot stat ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’: No such file > or directory > > > Next I'm running the updater and check the feature again: > > # ipa-server-upgrade > ... > # systemctl restart httpd.service > > # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy > > > 404 Not Found > > Not Found > The requested URL /KdcProxy was not found on this server. > > > # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf > stat: cannot stat ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’: No such file > or directory > > > KDC proxy is still disable. Let's enable it and check again. > > # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif > Parsing update file '/usr/share/ipa/kdcproxy-enable.uldif' > Updating existing entry: > cn=KDC,cn=vm-164.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example > Done > Update complete > The ipa-ldap-updater command was successful > > # systemctl restart httpd.service > > # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy > Method not allowed (GET) > > # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf > File: ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’ -> > ‘/etc/ipa/kdcproxy/ipa-kdc-proxy.conf’ > Size: 36 Blocks: 0 IO Block: 4096 symbolic link > Device: fd01h/64769dInode: 398238 Links: 1 > ... > > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 19:55, Nathaniel McCallum wrote: > The behavior I'm worried about here is this: > 1. Admin installs or updates FreeIPA (w/ kdcproxy) > 2. Admin disables kdcproxy > 3. Admin updates to the next version > > After step #3, is kdcproxy enabled or disabled? I don't have a clear answer > to this (or at least I'm not seeing it). > > Other than this, I'm happy. So if we can answer this, it is an ack from me. That is covered by the check is_kdcproxy_configured(). It checks for the presence of a file. That file is created during installation or at the first update. Let's see if the check works. At first I'm disabling kdcproxy: # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif Parsing update file '/usr/share/ipa/kdcproxy-disable.uldif' Updating existing entry: cn=KDC,cn=vm-164.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example Done Update complete The ipa-ldap-updater command was successful # systemctl restart httpd.service # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy 404 Not Found Not Found The requested URL /KdcProxy was not found on this server. # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf stat: cannot stat ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’: No such file or directory Next I'm running the updater and check the feature again: # ipa-server-upgrade ... # systemctl restart httpd.service # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy 404 Not Found Not Found The requested URL /KdcProxy was not found on this server. # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf stat: cannot stat ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’: No such file or directory KDC proxy is still disable. Let's enable it and check again. # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif Parsing update file '/usr/share/ipa/kdcproxy-enable.uldif' Updating existing entry: cn=KDC,cn=vm-164.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example Done Update complete The ipa-ldap-updater command was successful # systemctl restart httpd.service # curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy Method not allowed (GET) # stat /etc/httpd/conf.d/ipa-kdc-proxy.conf File: ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’ -> ‘/etc/ipa/kdcproxy/ipa-kdc-proxy.conf’ Size: 36 Blocks: 0 IO Block: 4096 symbolic link Device: fd01h/64769dInode: 398238 Links: 1 ... signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
The behavior I'm worried about here is this: 1. Admin installs or updates FreeIPA (w/ kdcproxy) 2. Admin disables kdcproxy 3. Admin updates to the next version After step #3, is kdcproxy enabled or disabled? I don't have a clear answer to this (or at least I'm not seeing it). Other than this, I'm happy. So if we can answer this, it is an ack from me. - Original Message - > head -> desk! > Of course you are right. The old code ran the update code. I fixed it. > > Rob also suggested that I use .uldif as prefix. My LDIFs aren't strictly > LDIFs because they use dynamic templates. > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 17:35, Nathaniel McCallum wrote:
> typo: is_kdcprox_configured
>
> You need to update the commit message (don't do changes since last patch).
>
> Also, I'm pretty sure this is the case, but the code in
> ipaserver/install/httpinstance.py only executes during initial installation,
> right?
head -> desk!
Of course you are right. The old code ran the update code. I fixed it.
Rob also suggested that I use .uldif as prefix. My LDIFs aren't strictly
LDIFs because they use dynamic templates.
From 93cc97a9ffdf0d76c377b731d418999d95fe299a Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Tue, 23 Jun 2015 17:01:00 +0200
Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
present.
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used. SetEnv from Apache config does
not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
https://www.freeipa.org/page/V4/KDC_Proxy
https://fedorahosted.org/freeipa/ticket/4801
---
freeipa.spec.in | 25 +
init/systemd/httpd.service | 2 +
install/conf/Makefile.am | 1 +
install/conf/ipa-kdc-proxy.conf.template | 30 ++
install/conf/ipa.conf| 6 +-
install/share/Makefile.am| 3 +
install/share/kdcproxy-disable.uldif | 3 +
install/share/kdcproxy-enable.uldif | 6 ++
install/share/kdcproxy.conf | 4 +
install/tools/Makefile.am| 5 +
install/tools/ipa-httpd-kdcproxy | 180 +++
ipaplatform/base/paths.py| 4 +-
ipaserver/install/httpinstance.py| 65 ++-
ipaserver/install/ipa_backup.py | 1 +
ipaserver/install/server/upgrade.py | 5 +
15 files changed, 335 insertions(+), 5 deletions(-)
create mode 100644 install/conf/ipa-kdc-proxy.conf.template
create mode 100644 install/share/kdcproxy-disable.uldif
create mode 100644 install/share/kdcproxy-enable.uldif
create mode 100644 install/share/kdcproxy.conf
create mode 100755 install/tools/ipa-httpd-kdcproxy
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 809ac1e5bb877c85e29c082ecfb9ad91aa97b4f5..caacf4bda0611c31880933e8e05db6518886eb65 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -22,6 +22,10 @@
%define _hardened_build 1
+%define kdcproxy_user kdcproxy
+%define kdcproxy_group kdcproxy
+%define kdcproxy_home %{_sharedstatedir}/kdcproxy
+
Name: freeipa
Version:__VERSION__
Release:__RELEASE__%{?dist}
@@ -95,6 +99,7 @@ BuildRequires: p11-kit-devel
BuildRequires: pki-base >= 10.2.4-1
BuildRequires: python-pytest-multihost >= 0.5
BuildRequires: python-pytest-sourceorder
+BuildRequires: python-kdcproxy >= 0.3
%description
IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -130,6 +135,7 @@ Requires: memcached
Requires: python-memcached
Requires: dbus-python
Requires: systemd-units >= 38
+Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version}
@@ -140,6 +146,7 @@ Requires: pki-kra >= 10.2.4-1
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: python-dns >= 1.11.1
+Requires: python-kdcproxy >= 0.3
Requires: zip
Requires: policycoreutils >= 2.1.12-5
Requires: tar
@@ -429,6 +436,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
# So we can own our Apache configuration
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
mkdir -p %{buildroot}%{_usr}/share/ipa/html/
@@ -458,6 +466,10 @@ install daemons/dnss
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
typo: is_kdcprox_configured You need to update the commit message (don't do changes since last patch). Also, I'm pretty sure this is the case, but the code in ipaserver/install/httpinstance.py only executes during initial installation, right? - Original Message - > This is hopefully the final patch. I've tested a fresh installation and > upgrade from 4.2 alpha 1. > > Christian > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
This is hopefully the final patch. I've tested a fresh installation and
upgrade from 4.2 alpha 1.
Christian
From f503bb15304edea863ba1bad91657b1f880f0e4b Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Tue, 23 Jun 2015 17:01:00 +0200
Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.2.1. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
present.
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used. SetEnv from Apache config does
not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
Changes since the last patch:
- WSGI shim module was removed in favor of the symlink approach.
- Since the ExecStartPre scripts runs as root user, EXTERNAL GSSAPI
bind can be used. This eliminates the need for a keytab, service
principal and additional permission.
- Require python-kdcproxy 0.3
- Set env var in httpd.service instead of SetEnv
https://www.freeipa.org/page/V4/KDC_Proxy
https://fedorahosted.org/freeipa/ticket/4801
---
freeipa.spec.in | 26 +
init/systemd/httpd.service | 2 +
install/conf/Makefile.am | 1 +
install/conf/ipa-kdc-proxy.conf.template | 30 ++
install/conf/ipa.conf| 6 +-
install/share/Makefile.am| 3 +
install/share/kdcproxy-disable.ldif | 3 +
install/share/kdcproxy-enable.ldif | 6 ++
install/share/kdcproxy.conf | 4 +
install/tools/Makefile.am| 5 +
install/tools/ipa-httpd-kdcproxy | 180 +++
ipaplatform/base/paths.py| 4 +-
ipaserver/install/httpinstance.py| 65 ++-
ipaserver/install/ipa_backup.py | 1 +
14 files changed, 331 insertions(+), 5 deletions(-)
create mode 100644 install/conf/ipa-kdc-proxy.conf.template
create mode 100644 install/share/kdcproxy-disable.ldif
create mode 100644 install/share/kdcproxy-enable.ldif
create mode 100644 install/share/kdcproxy.conf
create mode 100755 install/tools/ipa-httpd-kdcproxy
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 809ac1e5bb877c85e29c082ecfb9ad91aa97b4f5..80331e60006829c77c7994d600318fc331a6b711 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -22,6 +22,10 @@
%define _hardened_build 1
+%define kdcproxy_user kdcproxy
+%define kdcproxy_group kdcproxy
+%define kdcproxy_home %{_sharedstatedir}/kdcproxy
+
Name: freeipa
Version:__VERSION__
Release:__RELEASE__%{?dist}
@@ -95,6 +99,7 @@ BuildRequires: p11-kit-devel
BuildRequires: pki-base >= 10.2.4-1
BuildRequires: python-pytest-multihost >= 0.5
BuildRequires: python-pytest-sourceorder
+BuildRequires: python-kdcproxy >= 0.3
%description
IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -130,6 +135,7 @@ Requires: memcached
Requires: python-memcached
Requires: dbus-python
Requires: systemd-units >= 38
+Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version}
@@ -140,6 +146,7 @@ Requires: pki-kra >= 10.2.4-1
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: python-dns >= 1.11.1
+Requires: python-kdcproxy >= 0.3
Requires: zip
Requires: policycoreutils >= 2.1.12-5
Requires: tar
@@ -429,6 +436,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
# So we can own our Apache configuration
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
mkdir -p %{buildroot}%{_usr}/share/ipa/html/
@@ -458,6 +466,10 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
# Web UI plugin dir
mkdir -p %{buildroo
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 16:55, Nathaniel McCallum wrote: > > > - Original Message - >> Ah, got it! >> >> What's the simplest way to download and test the new package on my VM? > > Download the package from koji. > http://koji.fedoraproject.org/koji/packageinfo?packageID=19292 Ah, that's much simpler than my approach. I used rhpkg, spectool, wget and rpmbuild to build my own package. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 23.6.2015 15:16, Christian Heimes wrote: > On 2015-06-23 15:14, Nathaniel McCallum wrote: >> On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote: >>> On 2015-06-23 14:58, Nathaniel McCallum wrote: I agree. One other small nitpick is that the python-kdcproxy dependency is still wrong. Please make it depend on 0.3. 0.3 is already in RHEL and Fedora. The only remaining step here is to push python-kdcproxy in the same update as the next FreeIPA build. >>> >>> I don't see python-kdcproxy 0.3 on my F22 test VM. It's still >>> python-kdcproxy-0.2.1-1.fc22.noarch. dnf update doesn't pull any >>> updates >>> either. >> >> ... because it hasn't been pushed. >> >> Updates are a two-step process. First you build the new package, then >> you push it. It is currently built, just not pushed. We will push >> FreeIPA and kdcproxy together. > > Ah, got it! > > What's the simplest way to download and test the new package on my VM? For Fedora go to http://koji.fedoraproject.org/koji/ and use search box to find the package you are interested in. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
- Original Message - > Ah, got it! > > What's the simplest way to download and test the new package on my VM? Download the package from koji. http://koji.fedoraproject.org/koji/packageinfo?packageID=19292 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 11:37, Christian Heimes wrote: > Hi, > > I've created a new patch that implements the KDC switch as a > ExecStartPre hook in httpd.service. My patch has a bug. Apache's SetEnv doesn't set an operating system env var. The information is only available as WSGI env var. I'm going to set it in httpd.service. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 14:56, Simo Sorce wrote: > Why are you using "#!/usr/bin/env python2.7" ? > We do not use this idiom, as it breaks in some cases, at most in some > sources that are v2 only we use "#!/usr/bin/python2", please change it. Force of habit. I'm used to use /usr/bin/env in my own packages. Otherwise the code isn't compatible with virtual envs. For FreeIPA it makes more sense to stick to python2. I'm going to change it. > I am not sure you should really have a completely separate > KDCProxyInstance, if I read it right that will cause httpd to be > restarted twice. If you put KDCProxy enablement as one step of the > httpdinstance then you will have much less code and httpd can be > restarted only once. > KDCProxy in general is not a separate service so instantiating it as a > full service seem wrong to me. IMO it should be just one of the many > steps of the http instance. Correct, the KDCProxyInstance restarts the HTTPD service a second time. The instance used to do much more work. In the last patch it created a service principal with keytab and assigned a permission to the service principal. With the new design, the code has been simplified so much, that it actually makes sense to move it into HTTPInstance. It's going to take me just a couple of minutes to remove the instance. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 15:14, Nathaniel McCallum wrote: > On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote: >> On 2015-06-23 14:58, Nathaniel McCallum wrote: >>> I agree. One other small nitpick is that the python-kdcproxy >>> dependency >>> is still wrong. Please make it depend on 0.3. 0.3 is already in >>> RHEL >>> and Fedora. The only remaining step here is to push python-kdcproxy >>> in >>> the same update as the next FreeIPA build. >> >> I don't see python-kdcproxy 0.3 on my F22 test VM. It's still >> python-kdcproxy-0.2.1-1.fc22.noarch. dnf update doesn't pull any >> updates >> either. > > ... because it hasn't been pushed. > > Updates are a two-step process. First you build the new package, then > you push it. It is currently built, just not pushed. We will push > FreeIPA and kdcproxy together. Ah, got it! What's the simplest way to download and test the new package on my VM? Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote: > On 2015-06-23 14:58, Nathaniel McCallum wrote: > > I agree. One other small nitpick is that the python-kdcproxy > > dependency > > is still wrong. Please make it depend on 0.3. 0.3 is already in > > RHEL > > and Fedora. The only remaining step here is to push python-kdcproxy > > in > > the same update as the next FreeIPA build. > > I don't see python-kdcproxy 0.3 on my F22 test VM. It's still > python-kdcproxy-0.2.1-1.fc22.noarch. dnf update doesn't pull any > updates > either. ... because it hasn't been pushed. Updates are a two-step process. First you build the new package, then you push it. It is currently built, just not pushed. We will push FreeIPA and kdcproxy together. Nathaniel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-23 14:58, Nathaniel McCallum wrote: > I agree. One other small nitpick is that the python-kdcproxy dependency > is still wrong. Please make it depend on 0.3. 0.3 is already in RHEL > and Fedora. The only remaining step here is to push python-kdcproxy in > the same update as the next FreeIPA build. I don't see python-kdcproxy 0.3 on my F22 test VM. It's still python-kdcproxy-0.2.1-1.fc22.noarch. dnf update doesn't pull any updates either. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On Tue, 2015-06-23 at 08:56 -0400, Simo Sorce wrote: > On Tue, 2015-06-23 at 11:37 +0200, Christian Heimes wrote: > > Hi, > > > > I've created a new patch that implements the KDC switch as a > > ExecStartPre hook in httpd.service. > > > > Testing: > > If you are doing an upgrade of an existing installation, then you > > have > > to run ipa-server-update first. The update creates the config file > > /etc/ipa/kdcproxy/ipa-kdc-proxy.conf from a template. > > > > /usr/libexec/ipa/ipa-httpd-kdcproxy creates / removes the symlink > > /etc/httpd/conf.d/ipa-kdc-proxy.conf. The feature is enabled by > > default. > > > > Disable KDC Proxy on the current host: > > # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.ldif > > # systemctl restart httpd.service > > > > Enable KDC Proxy on the current host: > > # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.ldif > > # systemctl restart httpd.service > > > > Regards, > > Christian > > A few questions. > > Why are you using "#!/usr/bin/env python2.7" ? > We do not use this idiom, as it breaks in some cases, at most in some > sources that are v2 only we use "#!/usr/bin/python2", please change > it. > > I am not sure you should really have a completely separate > KDCProxyInstance, if I read it right that will cause httpd to be > restarted twice. If you put KDCProxy enablement as one step of the > httpdinstance then you will have much less code and httpd can be > restarted only once. > KDCProxy in general is not a separate service so instantiating it as > a > full service seem wrong to me. IMO it should be just one of the many > steps of the http instance. > > The rest looks good. I agree. One other small nitpick is that the python-kdcproxy dependency is still wrong. Please make it depend on 0.3. 0.3 is already in RHEL and Fedora. The only remaining step here is to push python-kdcproxy in the same update as the next FreeIPA build. Nathaniel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On Tue, 2015-06-23 at 11:37 +0200, Christian Heimes wrote: > Hi, > > I've created a new patch that implements the KDC switch as a > ExecStartPre hook in httpd.service. > > Testing: > If you are doing an upgrade of an existing installation, then you have > to run ipa-server-update first. The update creates the config file > /etc/ipa/kdcproxy/ipa-kdc-proxy.conf from a template. > > /usr/libexec/ipa/ipa-httpd-kdcproxy creates / removes the symlink > /etc/httpd/conf.d/ipa-kdc-proxy.conf. The feature is enabled by default. > > Disable KDC Proxy on the current host: > # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.ldif > # systemctl restart httpd.service > > Enable KDC Proxy on the current host: > # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.ldif > # systemctl restart httpd.service > > Regards, > Christian A few questions. Why are you using "#!/usr/bin/env python2.7" ? We do not use this idiom, as it breaks in some cases, at most in some sources that are v2 only we use "#!/usr/bin/python2", please change it. I am not sure you should really have a completely separate KDCProxyInstance, if I read it right that will cause httpd to be restarted twice. If you put KDCProxy enablement as one step of the httpdinstance then you will have much less code and httpd can be restarted only once. KDCProxy in general is not a separate service so instantiating it as a full service seem wrong to me. IMO it should be just one of the many steps of the http instance. The rest looks good. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
Hi,
I've created a new patch that implements the KDC switch as a
ExecStartPre hook in httpd.service.
Testing:
If you are doing an upgrade of an existing installation, then you have
to run ipa-server-update first. The update creates the config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf from a template.
/usr/libexec/ipa/ipa-httpd-kdcproxy creates / removes the symlink
/etc/httpd/conf.d/ipa-kdc-proxy.conf. The feature is enabled by default.
Disable KDC Proxy on the current host:
# ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.ldif
# systemctl restart httpd.service
Enable KDC Proxy on the current host:
# ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.ldif
# systemctl restart httpd.service
Regards,
Christian
From b860590e6859fc0edcd9543b1a0dc6e58d93afa6 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Tue, 23 Jun 2015 11:09:46 +0200
Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.2.1. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
present.
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The Apache config sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
Changes since the last patch:
- WSGI shim module was removed in favor of the symlink approach.
- Since the ExecStartPre scripts runs as root user, EXTERNAL GSSAPI
bind can be used. This eliminates the need for a keytab, service
principal and additional permission.
https://www.freeipa.org/page/V4/KDC_Proxy
https://fedorahosted.org/freeipa/ticket/4801
---
freeipa.spec.in| 26 +
init/systemd/httpd.service | 1 +
install/conf/Makefile.am | 1 +
install/conf/ipa-kdc-proxy.conf.template | 31 +
install/conf/ipa.conf | 6 +-
install/share/Makefile.am | 3 +
install/share/kdcproxy-disable.ldif| 3 +
install/share/kdcproxy-enable.ldif | 6 +
install/share/kdcproxy.conf| 4 +
install/tools/Makefile.am | 5 +
install/tools/ipa-httpd-kdcproxy | 180 +
ipaplatform/base/paths.py | 4 +-
ipaserver/install/ipa_backup.py| 1 +
ipaserver/install/kdcproxyinstance.py | 163 ++
ipaserver/install/server/install.py| 8 +-
ipaserver/install/server/replicainstall.py | 8 +-
ipaserver/install/server/upgrade.py| 8 ++
17 files changed, 452 insertions(+), 6 deletions(-)
create mode 100644 install/conf/ipa-kdc-proxy.conf.template
create mode 100644 install/share/kdcproxy-disable.ldif
create mode 100644 install/share/kdcproxy-enable.ldif
create mode 100644 install/share/kdcproxy.conf
create mode 100755 install/tools/ipa-httpd-kdcproxy
create mode 100644 ipaserver/install/kdcproxyinstance.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 809ac1e5bb877c85e29c082ecfb9ad91aa97b4f5..6b14650600016d9fa6f5baf01379c37af9b38eef 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -22,6 +22,10 @@
%define _hardened_build 1
+%define kdcproxy_user kdcproxy
+%define kdcproxy_group kdcproxy
+%define kdcproxy_home %{_sharedstatedir}/kdcproxy
+
Name: freeipa
Version:__VERSION__
Release:__RELEASE__%{?dist}
@@ -95,6 +99,7 @@ BuildRequires: p11-kit-devel
BuildRequires: pki-base >= 10.2.4-1
BuildRequires: python-pytest-multihost >= 0.5
BuildRequires: python-pytest-sourceorder
+BuildRequires: python-kdcproxy >= 0.2.1
%description
IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -130,6 +135,7 @@ Requires: memcached
Requires: python-memcached
Requires: dbus-python
Requires: systemd-units >= 38
+Requires(pre): shadow-utils
Requires(pre): systemd-units
Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version}
@@ -140,6 +146,7 @@ Requires: pki-kra >= 10.2.4-1
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: python-dns >= 1.11.1
+Requires: python-kdcproxy >= 0.2.1
R
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-22 16:22, Nathaniel McCallum wrote: > On Mon, 2015-06-22 at 10:10 -0400, Simo Sorce wrote: >> On Mon, 2015-06-22 at 10:01 -0400, Nathaniel McCallum wrote: >>> I'd still prefer a user mapping to managing a keytab. This patch is >>> just way too complex for what it does. >> >> User mapping ? > > EXTERNAL bind Nathaniel, Simo and I had a discussion on #ipa. Eventually our combined brains came up with a simpler solution, that is good enough for now. The new proposal does neither need a keytab nor a new permission. It even removes necessity for a shim module. The WSGI config file for Apache is moved to a different location (e.g. /etc/ipa/ipa-kdc-proxy.conf). I have to check SELinux rules to find a proper location. An additional ExecStartPre script is hooked into httpd.service instead. The script reads the status of the flag from LDAP. If kdcproxy is enabled, it symlinks the WSGI config file to /etc/httpd/conf.d/ipa-kdc-proxy.conf. Otherwise it removes the symlink. When the file is not a symlink or doesn't point to /etc/ipa/ipa-kdc-proxy.conf, then the script only print a warning. The file is neither replaced nor removed. Because systemd scripts run as root, the ExecStartPre script can use EXTERNAL bind over ldapi to access 389 DS. The root user is mapped to the Directory Manager user, which is allowed to read all entries in the cn=masters,cn=ipa,cn=etc subtree. That way the script does neither need a keytab nor an additional permission. With the ExecStartPre we don't lose any functionality. When the config file is not symlinked, Apache responds with a 404 (just like before). Apache must be reloaded, before a new setting becomes effective (just like before). Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On Mon, 2015-06-22 at 10:10 -0400, Simo Sorce wrote: > On Mon, 2015-06-22 at 10:01 -0400, Nathaniel McCallum wrote: > > I'd still prefer a user mapping to managing a keytab. This patch is > > just way too complex for what it does. > > User mapping ? EXTERNAL bind > > - Original Message - > > > I brought up your suggestion in today's IPA devel meeting. Simo > > > explained that anonymous binding might not be available. Some > > > customers > > > disable it on their systems. I'd have to find yet another way to > > > authenticate, e.g. using the user account. That would only work > > > locally, > > > though. > > > > > > Let's go ahead with my current approach. It's implemented and I > > > have > > > tested upgrade and refresh installation a couple of times, too. > > > > > > Christian > > > > > > > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-22 16:01, Nathaniel McCallum wrote: > I'd still prefer a user mapping to managing a keytab. This patch is just way > too complex for what it does. I don't get what you mean with 'user mapping'. Are you referring to EXTERNAL bind over ldapi? signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On Mon, 2015-06-22 at 10:01 -0400, Nathaniel McCallum wrote: > I'd still prefer a user mapping to managing a keytab. This patch is just way > too complex for what it does. User mapping ? > - Original Message - > > I brought up your suggestion in today's IPA devel meeting. Simo > > explained that anonymous binding might not be available. Some customers > > disable it on their systems. I'd have to find yet another way to > > authenticate, e.g. using the user account. That would only work locally, > > though. > > > > Let's go ahead with my current approach. It's implemented and I have > > tested upgrade and refresh installation a couple of times, too. > > > > Christian > > > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
I'd still prefer a user mapping to managing a keytab. This patch is just way too complex for what it does. - Original Message - > I brought up your suggestion in today's IPA devel meeting. Simo > explained that anonymous binding might not be available. Some customers > disable it on their systems. I'd have to find yet another way to > authenticate, e.g. using the user account. That would only work locally, > though. > > Let's go ahead with my current approach. It's implemented and I have > tested upgrade and refresh installation a couple of times, too. > > Christian > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-17 18:09, Nathaniel McCallum wrote: > * There is a new permission: Read IPA Masters KDC Proxy. Is this > necessary. Can't the config be world-readable and admin writable? There > is no extra security in hiding this attribute. This also completely > removes the need for a keytab since anonymous binding can be used. This > also, I believe, removes the need for a service. I brought up your suggestion in today's IPA devel meeting. Simo explained that anonymous binding might not be available. Some customers disable it on their systems. I'd have to find yet another way to authenticate, e.g. using the user account. That would only work locally, though. Let's go ahead with my current approach. It's implemented and I have tested upgrade and refresh installation a couple of times, too. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On Wed, 2015-06-17 at 21:21 +0200, Christian Heimes wrote: > On 2015-06-17 18:09, Nathaniel McCallum wrote: > > On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote: > >> On 06/12/2015 03:40 PM, Nathaniel McCallum wrote: > >>> It doesn't apply again. > >>> > >>> On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote: > On 2015-05-27 15:16, Christian Heimes wrote: > > Hello, > > > > here is my first patch for FreeIPA. The patch integrates python > > -kdcproxy > > for MS-KKDCP support (aka Kerberos over HTTPS). > > > > https://www.freeipa.org/page/V4/KDC_Proxy > > > > Ticket: https://fedorahosted.org/freeipa/ticket/4801 > freeipa-cheimes-0001-2-Provide-Kerberos-over-HTTP-MS-KKDCP.patch > doesn't > apply anymore. The new patch is based on the current master. > > Christian > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: > http://www.freeipa.org/page/Contribute/Code > > Thanks Nathaniel, > > quick review before I have to leave again. A couple of Red Hatters > from > Brno just arrived at the hotel. I'll grab a beer with them. > > > I'm reviewing Adam's version of Christian's patch. > > > > * FreeIPA should require python-kdcproxy >= 0.3 considering there > are > > lots of fixes related to this project. > > We need to package it first, when I'm back from NHO. I've started to > study the packaging docs in the engineering section. Maybe you or > somebody else can walk me through the process next week? I'm happy to walk you through it. However, it is already built (just not pushed): http://koji.fedoraproject.org/koji/packageinfo?packageID=19292 > > * KDC Proxy path is not configurable. This probably needs to be > noted > > in documentation somewhere when mentioning the default path. > > LGTM > > > * Has OID 2.16.840.1.113730.3.8.3.28 been officially claimed? > > How? I thought 2.16.840.1.113730.3.8.3 is in our own OID space and we > don't have to register it with IANA. Or are you referring to another > registry? We have our own registry. I can walk you through the details off -thread. > > * There is a new permission: Read IPA Masters KDC Proxy. Is this > > necessary. Can't the config be world-readable and admin writable? > There > > is no extra security in hiding this attribute. This also completely > > removes the need for a keytab since anonymous binding can be used. > This > > also, I believe, removes the need for a service. > > That would make the code simpler and shorter too. I'm +0 on the > proposal. > > > > * The creation of the kdcproxy user is trailed by "exit 0". Why? > > https://fedoraproject.org/wiki/Packaging:UsersAndGroups recommends "e > xit 0". > > > > * replicainstall.py has trailing whitespace > > I'll address it with my next patch. > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-17 18:09, Nathaniel McCallum wrote: > On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote: >> On 06/12/2015 03:40 PM, Nathaniel McCallum wrote: >>> It doesn't apply again. >>> >>> On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote: On 2015-05-27 15:16, Christian Heimes wrote: > Hello, > > here is my first patch for FreeIPA. The patch integrates python > -kdcproxy > for MS-KKDCP support (aka Kerberos over HTTPS). > > https://www.freeipa.org/page/V4/KDC_Proxy > > Ticket: https://fedorahosted.org/freeipa/ticket/4801 freeipa-cheimes-0001-2-Provide-Kerberos-over-HTTP-MS-KKDCP.patch doesn't apply anymore. The new patch is based on the current master. Christian -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code Thanks Nathaniel, quick review before I have to leave again. A couple of Red Hatters from Brno just arrived at the hotel. I'll grab a beer with them. > I'm reviewing Adam's version of Christian's patch. > > * FreeIPA should require python-kdcproxy >= 0.3 considering there are > lots of fixes related to this project. We need to package it first, when I'm back from NHO. I've started to study the packaging docs in the engineering section. Maybe you or somebody else can walk me through the process next week? > * KDC Proxy path is not configurable. This probably needs to be noted > in documentation somewhere when mentioning the default path. LGTM > * Has OID 2.16.840.1.113730.3.8.3.28 been officially claimed? How? I thought 2.16.840.1.113730.3.8.3 is in our own OID space and we don't have to register it with IANA. Or are you referring to another registry? > * There is a new permission: Read IPA Masters KDC Proxy. Is this > necessary. Can't the config be world-readable and admin writable? There > is no extra security in hiding this attribute. This also completely > removes the need for a keytab since anonymous binding can be used. This > also, I believe, removes the need for a service. That would make the code simpler and shorter too. I'm +0 on the proposal. > * The creation of the kdcproxy user is trailed by "exit 0". Why? https://fedoraproject.org/wiki/Packaging:UsersAndGroups recommends "exit 0". > * replicainstall.py has trailing whitespace I'll address it with my next patch. signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote: > On 06/12/2015 03:40 PM, Nathaniel McCallum wrote: > > It doesn't apply again. > > > > On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote: > > > On 2015-05-27 15:16, Christian Heimes wrote: > > > > Hello, > > > > > > > > here is my first patch for FreeIPA. The patch integrates python > > > > -kdcproxy > > > > for MS-KKDCP support (aka Kerberos over HTTPS). > > > > > > > > https://www.freeipa.org/page/V4/KDC_Proxy > > > > > > > > Ticket: https://fedorahosted.org/freeipa/ticket/4801 > > > freeipa-cheimes-0001-2-Provide-Kerberos-over-HTTP-MS-KKDCP.patch > > > doesn't > > > apply anymore. The new patch is based on the current master. > > > > > > Christian > > > > > > -- > > > Manage your subscription for the Freeipa-devel mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Contribute to FreeIPA: > > > http://www.freeipa.org/page/Contribute/Code I'm reviewing Adam's version of Christian's patch. * FreeIPA should require python-kdcproxy >= 0.3 considering there are lots of fixes related to this project. * KDC Proxy path is not configurable. This probably needs to be noted in documentation somewhere when mentioning the default path. * Has OID 2.16.840.1.113730.3.8.3.28 been officially claimed? * There is a new permission: Read IPA Masters KDC Proxy. Is this necessary. Can't the config be world-readable and admin writable? There is no extra security in hiding this attribute. This also completely removes the need for a keytab since anonymous binding can be used. This also, I believe, removes the need for a service. * The creation of the kdcproxy user is trailed by "exit 0". Why? * replicainstall.py has trailing whitespace Nathaniel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-06-12 23:58, Adam Young wrote: > So...I've been spoiled a bit by Gerrit. Here is what I just did to get > them to apply: > > > cd freeipa > git clean -xdf . > #use the -3 to do 3 way merge > git am -3 > ~/Documents/freeipa/patches/cheimes/freeipa-cheimes-0001-3-Provide-Kerberos-over-HTTP-MS-KKDCP.patch > > @git status show conflicts in > > both modified: install/share/Makefile.am > both modified: ipaplatform/base/paths.py > > Which were due to this change and another making changes to the same > section of the file, but they were "accept both" type conflicts > > Updated patch is attached. Christian, please confirm it is OK. Hi Adam, awesome! The three-way-merge option is a great trick. I didn't know it before. Your patch looks like the patch, that I was about to upload now. :) Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 06/12/2015 03:40 PM, Nathaniel McCallum wrote: It doesn't apply again. On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote: On 2015-05-27 15:16, Christian Heimes wrote: Hello, here is my first patch for FreeIPA. The patch integrates python -kdcproxy for MS-KKDCP support (aka Kerberos over HTTPS). https://www.freeipa.org/page/V4/KDC_Proxy Ticket: https://fedorahosted.org/freeipa/ticket/4801 freeipa-cheimes-0001-2-Provide-Kerberos-over-HTTP-MS-KKDCP.patch doesn't apply anymore. The new patch is based on the current master. Christian -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code So...I've been spoiled a bit by Gerrit. Here is what I just did to get them to apply: cd freeipa git clean -xdf . #use the -3 to do 3 way merge git am -3 ~/Documents/freeipa/patches/cheimes/freeipa-cheimes-0001-3-Provide-Kerberos-over-HTTP-MS-KKDCP.patch @git status show conflicts in both modified: install/share/Makefile.am both modified: ipaplatform/base/paths.py Which were due to this change and another making changes to the same section of the file, but they were "accept both" type conflicts Updated patch is attached. Christian, please confirm it is OK. From 59c57ea2bfec59cac4a6b6dd35d794fef32c0b0f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 21 May 2015 12:42:27 +0200 Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP) Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.2.1. All kdcproxy dependencies are already satisfied. - The service can be globally toggled with the boolean attribute ipaKDCproxyEnabled in cn=ipaConfig,cn=etc. The switch is supported by ipa config-mod --enable-kdcproxy. - The installers and update create a new Apache config file ipa-kdc-proxy.conf that mounts a WSGI app at /KdcProxy. The app is run inside its own WSGI daemon group. - The WSGI app at /KdcProxy is a WSGI wrapper, that checks the state of the switch. When ipaKDCproxyEnabled is FALSE, a HTTP 404 error is returned. For performance reasons the flag is only checked at start of the WSGI app. Apache must be reloaded or restarted to read the switch state again. - The WSGI app uses the Apache principal to acquire a Kerberos ticket to perform GSSAPI bindings for the LDAP query of ipaKDCproxyEnabled. - The WSGI wrapper script sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf Changes since patch 1: - Further simplify krb ticket code Simo has pointed out that KRB5_CLIENT_KTNAME and MEMORY ccache are sufficient for the GSSAPI. http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation - switch is now in ipaConfigString=kdcProxyEnabled of cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc - add service principal KDCPROXY - add own keytab /etc/ipa/kdcproxy/kdcproxy.keytab - add permission 'System: Read IPA Masters KDC Proxy' - add privilege 'IPA Masters KDC Proxy Readers' - add ipa-ldap-updater scripts to enable/disable KDC Proxy - Create a separate user and group account The KDC Proxy WSGI app now uses a separate user account to run the daemon process. The keytab is only readable by that user, too. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 --- ACI.txt| 4 +- API.txt| 3 +- freeipa.spec.in| 25 +++ install/conf/Makefile.am | 1 + install/conf/ipa-kdc-proxy.conf| 14 ++ install/conf/ipa.conf | 6 +- install/share/60ipaconfig.ldif | 4 +- install/share/Makefile.am | 2 + install/share/kdcproxy-disable.ldif| 3 + install/share/kdcproxy-enable.ldif | 6 + install/share/kdcproxy.conf| 4 + install/share/kdcproxyshim.py | 161 + install/ui/src/freeipa/serverconfig.js | 4 + install/updates/40-delegation.update | 7 + install/updates/50-ipaconfig.update| 4 + ipalib/plugins/config.py | 8 +- ipaplatform/base/paths.py | 4 +- ipaserver/install/ipa_backup.py| 1 + ipaserver/install/kdcproxyinstance.py | 201 + .../install/plugins/update_managed_permissions.py | 11 ++ ipaserver/install/server/install.py| 8 +- ipaserver/install/server/rep
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
It doesn't apply again. On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote: > On 2015-05-27 15:16, Christian Heimes wrote: > > Hello, > > > > here is my first patch for FreeIPA. The patch integrates python > > -kdcproxy > > for MS-KKDCP support (aka Kerberos over HTTPS). > > > > https://www.freeipa.org/page/V4/KDC_Proxy > > > > Ticket: https://fedorahosted.org/freeipa/ticket/4801 > > freeipa-cheimes-0001-2-Provide-Kerberos-over-HTTP-MS-KKDCP.patch > doesn't > apply anymore. The new patch is based on the current master. > > Christian > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
On 2015-05-27 15:16, Christian Heimes wrote: > Hello, > > here is my first patch for FreeIPA. The patch integrates python-kdcproxy > for MS-KKDCP support (aka Kerberos over HTTPS). > > https://www.freeipa.org/page/V4/KDC_Proxy > > Ticket: https://fedorahosted.org/freeipa/ticket/4801 freeipa-cheimes-0001-2-Provide-Kerberos-over-HTTP-MS-KKDCP.patch doesn't apply anymore. The new patch is based on the current master. Christian From ee1bb0384eecfa6d6fe7770c44d54474b0d55951 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 21 May 2015 12:42:27 +0200 Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP) Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.2.1. All kdcproxy dependencies are already satisfied. - The service can be globally toggled with the boolean attribute ipaKDCproxyEnabled in cn=ipaConfig,cn=etc. The switch is supported by ipa config-mod --enable-kdcproxy. - The installers and update create a new Apache config file ipa-kdc-proxy.conf that mounts a WSGI app at /KdcProxy. The app is run inside its own WSGI daemon group. - The WSGI app at /KdcProxy is a WSGI wrapper, that checks the state of the switch. When ipaKDCproxyEnabled is FALSE, a HTTP 404 error is returned. For performance reasons the flag is only checked at start of the WSGI app. Apache must be reloaded or restarted to read the switch state again. - The WSGI app uses the Apache principal to acquire a Kerberos ticket to perform GSSAPI bindings for the LDAP query of ipaKDCproxyEnabled. - The WSGI wrapper script sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf Changes since patch 1: - Further simplify krb ticket code Simo has pointed out that KRB5_CLIENT_KTNAME and MEMORY ccache are sufficient for the GSSAPI. http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation - switch is now in ipaConfigString=kdcProxyEnabled of cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc - add service principal KDCPROXY - add own keytab /etc/ipa/kdcproxy/kdcproxy.keytab - add permission 'System: Read IPA Masters KDC Proxy' - add privilege 'IPA Masters KDC Proxy Readers' - add ipa-ldap-updater scripts to enable/disable KDC Proxy - Create a separate user and group account The KDC Proxy WSGI app now uses a separate user account to run the daemon process. The keytab is only readable by that user, too. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 --- ACI.txt| 4 +- API.txt| 3 +- freeipa.spec.in| 25 +++ install/conf/Makefile.am | 1 + install/conf/ipa-kdc-proxy.conf| 14 ++ install/conf/ipa.conf | 6 +- install/share/60ipaconfig.ldif | 4 +- install/share/Makefile.am | 2 + install/share/kdcproxy-disable.ldif| 3 + install/share/kdcproxy-enable.ldif | 6 + install/share/kdcproxy.conf| 4 + install/share/kdcproxyshim.py | 161 + install/ui/src/freeipa/serverconfig.js | 4 + install/updates/40-delegation.update | 7 + install/updates/50-ipaconfig.update| 4 + ipalib/plugins/config.py | 8 +- ipaplatform/base/paths.py | 4 +- ipaserver/install/ipa_backup.py| 1 + ipaserver/install/kdcproxyinstance.py | 201 + .../install/plugins/update_managed_permissions.py | 11 ++ ipaserver/install/server/install.py| 8 +- ipaserver/install/server/replicainstall.py | 9 +- ipaserver/install/server/upgrade.py| 8 + 23 files changed, 488 insertions(+), 10 deletions(-) create mode 100644 install/conf/ipa-kdc-proxy.conf create mode 100644 install/share/kdcproxy-disable.ldif create mode 100644 install/share/kdcproxy-enable.ldif create mode 100644 install/share/kdcproxy.conf create mode 100644 install/share/kdcproxyshim.py create mode 100644 ipaserver/install/kdcproxyinstance.py diff --git a/ACI.txt b/ACI.txt index 59173ac1b593f15e079c7b1fce43ec9b0084ec91..974a0b7da60bc8cecbe5b7712033e2c1a07d65fb 100644 --- a/ACI.txt +++ b/ACI.txt @@ -31,7 +31,7 @@ aci: (targetattr = "cn || description || ipacertprofilestoreissued")(targetfilte dn: cn=certprofiles,cn=ca,dc=ipa,dc=example aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacertprofilestoreissued || modifytimestamp || objectclass")(targe
Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
Changes since patch 1: - Further simplify krb ticket code Simo has pointed out that KRB5_CLIENT_KTNAME and MEMORY ccache are sufficient for the GSSAPI. http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation - switch is now in ipaConfigString=kdcProxyEnabled of cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc - add service principal KDCPROXY - add own keytab /etc/ipa/kdcproxy/kdcproxy.keytab - add permission 'System: Read IPA Masters KDC Proxy' - add privilege 'IPA Masters KDC Proxy Readers' - add ipa-ldap-updater scripts to enable/disable KDC Proxy - Create a separate user and group account The KDC Proxy WSGI app now uses a separate user account to run the daemon process. The keytab is only readable by that user, too. From 32b64b8b385853c04158596d010bb8977e2e03a8 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 21 May 2015 12:42:27 +0200 Subject: [PATCH] Provide Kerberos over HTTP (MS-KKDCP) Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.2.1. All kdcproxy dependencies are already satisfied. - The service can be globally toggled with the boolean attribute ipaKDCproxyEnabled in cn=ipaConfig,cn=etc. The switch is supported by ipa config-mod --enable-kdcproxy. - The installers and update create a new Apache config file ipa-kdc-proxy.conf that mounts a WSGI app at /KdcProxy. The app is run inside its own WSGI daemon group. - The WSGI app at /KdcProxy is a WSGI wrapper, that checks the state of the switch. When ipaKDCproxyEnabled is FALSE, a HTTP 404 error is returned. For performance reasons the flag is only checked at start of the WSGI app. Apache must be reloaded or restarted to read the switch state again. - The WSGI app uses the Apache principal to acquire a Kerberos ticket to perform GSSAPI bindings for the LDAP query of ipaKDCproxyEnabled. - The WSGI wrapper script sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf Changes since patch 1: - Further simplify krb ticket code Simo has pointed out that KRB5_CLIENT_KTNAME and MEMORY ccache are sufficient for the GSSAPI. http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation - switch is now in ipaConfigString=kdcProxyEnabled of cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc - add service principal KDCPROXY - add own keytab /etc/ipa/kdcproxy/kdcproxy.keytab - add permission 'System: Read IPA Masters KDC Proxy' - add privilege 'IPA Masters KDC Proxy Readers' - add ipa-ldap-updater scripts to enable/disable KDC Proxy - Create a separate user and group account The KDC Proxy WSGI app now uses a separate user account to run the daemon process. The keytab is only readable by that user, too. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 --- ACI.txt| 4 +- API.txt| 3 +- freeipa.spec.in| 25 +++ install/conf/Makefile.am | 1 + install/conf/ipa-kdc-proxy.conf| 14 ++ install/conf/ipa.conf | 6 +- install/share/60ipaconfig.ldif | 4 +- install/share/Makefile.am | 2 + install/share/kdcproxy-disable.ldif| 3 + install/share/kdcproxy-enable.ldif | 6 + install/share/kdcproxy.conf| 4 + install/share/kdcproxyshim.py | 161 + install/ui/src/freeipa/serverconfig.js | 4 + install/updates/40-delegation.update | 7 + install/updates/50-ipaconfig.update| 4 + ipalib/plugins/config.py | 8 +- ipaplatform/base/paths.py | 4 +- ipaserver/install/ipa_backup.py| 1 + ipaserver/install/kdcproxyinstance.py | 201 + .../install/plugins/update_managed_permissions.py | 11 ++ ipaserver/install/server/install.py| 8 +- ipaserver/install/server/replicainstall.py | 9 +- ipaserver/install/server/upgrade.py| 8 + 23 files changed, 488 insertions(+), 10 deletions(-) create mode 100644 install/conf/ipa-kdc-proxy.conf create mode 100644 install/share/kdcproxy-disable.ldif create mode 100644 install/share/kdcproxy-enable.ldif create mode 100644 install/share/kdcproxy.conf create mode 100644 install/share/kdcproxyshim.py create mode 100644 ipaserver/install/kdcproxyinstance.py diff --git a/ACI.txt b/ACI.txt index 3c4ebde5b3ac2eb0b8e9465c5f2bd74f5bdbfb01..3d586876a525ec3d3b20cdab0d8e09542dd418a3 100644 --- a/ACI.
