diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-12-08 14:23:18 -0500 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-02-15 17:09:37 +0100 |
commit | abd3ae2a82c5e6e5e9a26038ba532494068c0ffa (patch) | |
tree | e4e63f0a6703b1f07611b5e4ffb84285b2120462 | |
parent | 1fb034bfed09e60bcf9336328b8eb55f5ad49f11 (diff) | |
download | freeipa.git-abd3ae2a82c5e6e5e9a26038ba532494068c0ffa.tar.gz freeipa.git-abd3ae2a82c5e6e5e9a26038ba532494068c0ffa.tar.xz freeipa.git-abd3ae2a82c5e6e5e9a26038ba532494068c0ffa.zip |
Don't set delegation flag in client, we're using S4U2Proxy now
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.
Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.
https://fedorahosted.org/freeipa/ticket/1098
https://fedorahosted.org/freeipa/ticket/2246
-rw-r--r-- | freeipa.spec.in | 15 | ||||
-rw-r--r-- | install/share/bootstrap-template.ldif | 2 | ||||
-rw-r--r-- | ipa.1 | 3 | ||||
-rw-r--r-- | ipalib/backend.py | 2 | ||||
-rw-r--r-- | ipalib/constants.py | 1 | ||||
-rw-r--r-- | ipalib/plugable.py | 5 | ||||
-rw-r--r-- | ipalib/rpc.py | 24 |
7 files changed, 34 insertions, 18 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 6c92747b..06e7d9e3 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -92,17 +92,13 @@ Requires(pre): 389-ds-base >= 1.2.10-0.5.a5 Requires: openldap-clients Requires: nss Requires: nss-tools -%if 0%{?fedora} >= 16 -Requires: krb5-server >= 1.9.1-15 -%else -Requires: krb5-server -%endif +Requires: krb5-server >= 1.9.2-6 Requires: krb5-pkinit-openssl Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd Requires: mod_wsgi -Requires: mod_auth_kerb >= 5.4-9 +Requires: mod_auth_kerb >= 5.4-8 Requires: mod_nss >= 1.0.8-10 Requires: python-ldap Requires: python-krbV @@ -665,11 +661,14 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog -* Wed Jan 11 2012 Simo Sorce <simo@redhat.com? - 2.2.0-7 +* Tue Jan 31 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-8 +- Set min for krb5-server to 1.9.2-6 to pick up needed s4u2proxy patches + +* Wed Jan 11 2012 Simo Sorce <simo@redhat.com> - 2.2.0-7 - Remove dependency on samba4 libs * Wed Jan 11 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-6 -- Set min for mod_auth_kerb to 5.4-9 to pick up s4u2proxy support +- Set min for mod_auth_kerb to 5.4-8 to pick up s4u2proxy support * Tue Jan 10 2012 Alexander Bokovoy <abokovoy@redhat.com> - 2.2.0-5 - Fix dependency for samba4-devel package diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index b58bfd7e..e33f0657 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -174,7 +174,7 @@ objectClass: groupOfPrincipals objectClass: top cn: ipa-http-delegation memberPrincipal: HTTP/$HOST@$REALM -ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX +ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX changetype: add @@ -37,6 +37,9 @@ Load configuration from \fIFILE\fR. \fB\-d\fR, \fB\-\-debug\fR Produce full debugging output. .TP +\fB\-\-\-delegate\fR +Delegate the user's TGT to the IPA server +.TP \fB\-e\fR \fIKEY=VAL\fR Set environmental variable \fIKEY\fR to the value \fIVAL\fR. This option overrides configuration files. .TP diff --git a/ipalib/backend.py b/ipalib/backend.py index 79f19083..7ed378e8 100644 --- a/ipalib/backend.py +++ b/ipalib/backend.py @@ -110,7 +110,7 @@ class Executioner(Backend): self.Backend.ldap2.connect(ccache=ccache) else: self.Backend.xmlclient.connect(verbose=(self.env.verbose >= 2), - fallback=self.env.fallback) + fallback=self.env.fallback, delegate=self.env.delegate) if client_ip is not None: setattr(context, "client_ip", client_ip) diff --git a/ipalib/constants.py b/ipalib/constants.py index 7a1e3d2e..899c765f 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -139,6 +139,7 @@ DEFAULT_CONFIG = ( ('prompt_all', False), ('interactive', True), ('fallback', True), + ('delegate', False), # Enable certain optional plugins: ('enable_ra', False), diff --git a/ipalib/plugable.py b/ipalib/plugable.py index e0b6e7f9..4d001102 100644 --- a/ipalib/plugable.py +++ b/ipalib/plugable.py @@ -530,6 +530,9 @@ class API(DictProxy): parser.add_option('-d', '--debug', action='store_true', help='Produce full debuging output', ) + parser.add_option('--delegate', action='store_true', + help='Delegate the TGT to the IPA server', + ) parser.add_option('-v', '--verbose', action='count', help='Produce more verbose output. A second -v displays the XML-RPC request', ) @@ -570,7 +573,7 @@ class API(DictProxy): pass overrides[str(key.strip())] = value.strip() for key in ('conf', 'debug', 'verbose', 'prompt_all', 'interactive', - 'fallback'): + 'fallback', 'delegate'): value = getattr(options, key, None) if value is not None: overrides[key] = value diff --git a/ipalib/rpc.py b/ipalib/rpc.py index abfa44e8..d8fee563 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -232,6 +232,7 @@ class KerbTransport(SSLTransport): """ Handles Kerberos Negotiation authentication to an XML-RPC server. """ + flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG def _handle_exception(self, e, service=None): (major, minor) = ipautil.get_gsserror(e) @@ -257,10 +258,7 @@ class KerbTransport(SSLTransport): service = "HTTP@" + host.split(':')[0] try: - (rc, vc) = kerberos.authGSSClientInit(service, - kerberos.GSS_C_DELEG_FLAG | - kerberos.GSS_C_MUTUAL_FLAG | - kerberos.GSS_C_SEQUENCE_FLAG) + (rc, vc) = kerberos.authGSSClientInit(service, self.flags) except kerberos.GSSError, e: self._handle_exception(e) @@ -284,6 +282,14 @@ class KerbTransport(SSLTransport): return (host, extra_headers, x509) +class DelegatedKerbTransport(KerbTransport): + """ + Handles Kerberos Negotiation authentication and TGT delegation to an + XML-RPC server. + """ + flags = kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | \ + kerberos.GSS_C_SEQUENCE_FLAG + class xmlclient(Connectible): """ Forwarding backend plugin for XML-RPC client. @@ -303,7 +309,7 @@ class xmlclient(Connectible): """ if not hasattr(self.conn, '_ServerProxy__transport'): return None - if isinstance(self.conn._ServerProxy__transport, KerbTransport): + if type(self.conn._ServerProxy__transport) in (KerbTransport, DelegatedKerbTransport): scheme = "https" else: scheme = "http" @@ -337,14 +343,18 @@ class xmlclient(Connectible): return servers - def create_connection(self, ccache=None, verbose=False, fallback=True): + def create_connection(self, ccache=None, verbose=False, fallback=True, + delegate=False): servers = self.get_url_list() serverproxy = None for server in servers: kw = dict(allow_none=True, encoding='UTF-8') kw['verbose'] = verbose if server.startswith('https://'): - kw['transport'] = KerbTransport() + if delegate: + kw['transport'] = DelegatedKerbTransport() + else: + kw['transport'] = KerbTransport() else: kw['transport'] = LanguageAwareTransport() self.log.info('trying %s' % server) |