diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2012-02-15 17:06:54 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-02-15 17:08:33 +0100 |
| commit | 2da6d6e7460b932f406b7f0632320433f9f98a85 (patch) | |
| tree | b48904578e589bfc942bd1f7150a57fd61e718c6 /ipalib/rpc.py | |
| parent | 95b1848f199a8f17936faac921d7b9495f90645b (diff) | |
| download | freeipa.git-2da6d6e7460b932f406b7f0632320433f9f98a85.tar.gz freeipa.git-2da6d6e7460b932f406b7f0632320433f9f98a85.tar.xz freeipa.git-2da6d6e7460b932f406b7f0632320433f9f98a85.zip | |
Don't set delegation flag in client, we're using S4U2Proxy now
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.
Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.
https://fedorahosted.org/freeipa/ticket/1098
https://fedorahosted.org/freeipa/ticket/2246
Diffstat (limited to 'ipalib/rpc.py')
| -rw-r--r-- | ipalib/rpc.py | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/ipalib/rpc.py b/ipalib/rpc.py index abfa44e8..d8fee563 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -232,6 +232,7 @@ class KerbTransport(SSLTransport): """ Handles Kerberos Negotiation authentication to an XML-RPC server. """ + flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG def _handle_exception(self, e, service=None): (major, minor) = ipautil.get_gsserror(e) @@ -257,10 +258,7 @@ class KerbTransport(SSLTransport): service = "HTTP@" + host.split(':')[0] try: - (rc, vc) = kerberos.authGSSClientInit(service, - kerberos.GSS_C_DELEG_FLAG | - kerberos.GSS_C_MUTUAL_FLAG | - kerberos.GSS_C_SEQUENCE_FLAG) + (rc, vc) = kerberos.authGSSClientInit(service, self.flags) except kerberos.GSSError, e: self._handle_exception(e) @@ -284,6 +282,14 @@ class KerbTransport(SSLTransport): return (host, extra_headers, x509) +class DelegatedKerbTransport(KerbTransport): + """ + Handles Kerberos Negotiation authentication and TGT delegation to an + XML-RPC server. + """ + flags = kerberos.GSS_C_DELEG_FLAG | kerberos.GSS_C_MUTUAL_FLAG | \ + kerberos.GSS_C_SEQUENCE_FLAG + class xmlclient(Connectible): """ Forwarding backend plugin for XML-RPC client. @@ -303,7 +309,7 @@ class xmlclient(Connectible): """ if not hasattr(self.conn, '_ServerProxy__transport'): return None - if isinstance(self.conn._ServerProxy__transport, KerbTransport): + if type(self.conn._ServerProxy__transport) in (KerbTransport, DelegatedKerbTransport): scheme = "https" else: scheme = "http" @@ -337,14 +343,18 @@ class xmlclient(Connectible): return servers - def create_connection(self, ccache=None, verbose=False, fallback=True): + def create_connection(self, ccache=None, verbose=False, fallback=True, + delegate=False): servers = self.get_url_list() serverproxy = None for server in servers: kw = dict(allow_none=True, encoding='UTF-8') kw['verbose'] = verbose if server.startswith('https://'): - kw['transport'] = KerbTransport() + if delegate: + kw['transport'] = DelegatedKerbTransport() + else: + kw['transport'] = KerbTransport() else: kw['transport'] = LanguageAwareTransport() self.log.info('trying %s' % server) |