Don't set delegation flag in client, we're using S4U2Proxy now

A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.

Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.

https://fedorahosted.org/freeipa/ticket/1098
https://fedorahosted.org/freeipa/ticket/2246

7 files changed, 34 insertions, 18 deletions

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6c92747b..06e7d9e3 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -92,17 +92,13 @@ Requires(pre): 389-ds-base >= 1.2.10-0.5.a5
 Requires: openldap-clients
 Requires: nss
 Requires: nss-tools
-%if 0%{?fedora} >= 16
-Requires: krb5-server >= 1.9.1-15
-%else
-Requires: krb5-server
-%endif
+Requires: krb5-server >= 1.9.2-6
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: httpd
 Requires: mod_wsgi
-Requires: mod_auth_kerb >= 5.4-9
+Requires: mod_auth_kerb >= 5.4-8
 Requires: mod_nss >= 1.0.8-10
 Requires: python-ldap
 Requires: python-krbV
@@ -665,11 +661,14 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
-* Wed Jan 11 2012 Simo Sorce <simo@redhat.com? - 2.2.0-7
+* Tue Jan 31 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-8
+- Set min for krb5-server to 1.9.2-6 to pick up needed s4u2proxy patches
+
+* Wed Jan 11 2012 Simo Sorce <simo@redhat.com> - 2.2.0-7
 - Remove dependency on samba4 libs
 
 * Wed Jan 11 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-6
-- Set min for mod_auth_kerb to 5.4-9 to pick up s4u2proxy support
+- Set min for mod_auth_kerb to 5.4-8 to pick up s4u2proxy support
 
 * Tue Jan 10 2012 Alexander Bokovoy <abokovoy@redhat.com> - 2.2.0-5
 - Fix dependency for samba4-devel package
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index b58bfd7e..e33f0657 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -174,7 +174,7 @@ objectClass: groupOfPrincipals
 objectClass: top
 cn: ipa-http-delegation
 memberPrincipal: HTTP/$HOST@$REALM
-ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX
+ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
 
 dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
 changetype: add
diff --git a/ipa.1 b/ipa.1
index a5592b9a..e9946b82 100644
--- a/ipa.1
+++ b/ipa.1
@@ -37,6 +37,9 @@ Load configuration from \fIFILE\fR.
 \fB\-d\fR, \fB\-\-debug\fR
 Produce full debugging output.
 .TP
+\fB\-\-\-delegate\fR
+Delegate the user's TGT to the IPA server
+.TP
 \fB\-e\fR \fIKEY=VAL\fR
 Set environmental variable \fIKEY\fR to the value \fIVAL\fR. This option overrides configuration files.
 .TP
diff --git a/ipalib/backend.py b/ipalib/backend.py
index 79f19083..7ed378e8 100644
--- a/ipalib/backend.py
+++ b/ipalib/backend.py
@@ -110,7 +110,7 @@ class Executioner(Backend):
             self.Backend.ldap2.connect(ccache=ccache)
         else:
             self.Backend.xmlclient.connect(verbose=(self.env.verbose >= 2),
-                fallback=self.env.fallback)
+                fallback=self.env.fallback, delegate=self.env.delegate)
         if client_ip is not None:
             setattr(context, "client_ip", client_ip)
 
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 7a1e3d2e..899c765f 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -139,6 +139,7 @@ DEFAULT_CONFIG = (
     ('prompt_all', False),
     ('interactive', True),
     ('fallback', True),
+    ('delegate', False),
 
     # Enable certain optional plugins:
     ('enable_ra', False),
diff --git a/ipalib/plugable.py b/ipalib/plugable.py
index e0b6e7f9..4d001102 100644
--- a/ipalib/plugable.py
+++ b/ipalib/plugable.py
@@ -530,6 +530,9 @@ class API(DictProxy):
         parser.add_option('-d', '--debug', action='store_true',
             help='Produce full debuging output',
         )
+        parser.add_option('--delegate', action='store_true',
+            help='Delegate the TGT to the IPA server',
+        )
         parser.add_option('-v', '--verbose', action='count',
             help='Produce more verbose output. A second -v displays the XML-RPC request',
         )
@@ -570,7 +573,7 @@ class API(DictProxy):
                     pass
                 overrides[str(key.strip())] = value.strip()
         for key in ('conf', 'debug', 'verbose', 'prompt_all', 'interactive',
-            'fallback'):
+            'fallback', 'delegate'):
             value = getattr(options, key, None)
             if value is not None:
                 overrides[key] = value
diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index abfa44e8..d8fee563 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -232,6 +232,7 @@ class KerbTransport(SSLTransport):
     """
     Handles Kerberos Negotiation authentication to an XML-RPC server.
     """
+    flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG
 
     def _handle_exception(self, e, service=None):
         (major, minor) = ipautil.get_gsserror(e)
@@ -257,10 +258,7 @@ class KerbTransport(SSLTransport):
         service = "HTTP@" + host.split(':')[0]
 
         try:
-            (rc, vc) = kerberos.authGSSClientInit(service,
-                                                kerberos.GSS_C_DELEG_FLAG |
-                                                kerberos.GSS_C_MUTUAL_FLAG |
-                                                kerberos.GSS_C_SEQUENCE_FLAG)
+            (rc, vc) = kerberos.authGSSClientInit(service, self.flags)
         except kerberos.GSSError, e:
             self._handle_exception(e)
 
@@ -284,6 +282,14 @@ class KerbTransport(SSLTransport):
         return (host, extra_headers, x509)
 
 
+class DelegatedKerbTransport(KerbTransport):
+    """
+    Handles Kerberos Negotiation authentication and TGT delegation to an
+    XML-RPC server.
+    """
+    flags = kerberos.GSS_C_DELEG_FLAG |  kerberos.GSS_C_MUTUAL_FLAG | \
+            kerberos.GSS_C_SEQUENCE_FLAG
+
 class xmlclient(Connectible):
     """
     Forwarding backend plugin for XML-RPC client.
@@ -303,7 +309,7 @@ class xmlclient(Connectible):
         """
         if not hasattr(self.conn, '_ServerProxy__transport'):
             return None
-        if isinstance(self.conn._ServerProxy__transport, KerbTransport):
+        if type(self.conn._ServerProxy__transport) in (KerbTransport, DelegatedKerbTransport):
             scheme = "https"
         else:
             scheme = "http"
@@ -337,14 +343,18 @@ class xmlclient(Connectible):
 
         return servers
 
-    def create_connection(self, ccache=None, verbose=False, fallback=True):
+    def create_connection(self, ccache=None, verbose=False, fallback=True,
+                          delegate=False):
         servers = self.get_url_list()
         serverproxy = None
         for server in servers:
             kw = dict(allow_none=True, encoding='UTF-8')
             kw['verbose'] = verbose
             if server.startswith('https://'):
-                kw['transport'] = KerbTransport()
+                if delegate:
+                    kw['transport'] = DelegatedKerbTransport()
+                else:
+                    kw['transport'] = KerbTransport()
             else:
                 kw['transport'] = LanguageAwareTransport()
             self.log.info('trying %s' % server)