Allow admins to disable preauth for SPNs.

Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.

This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/3860
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

3 files changed, 27 insertions, 6 deletions

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 3d5e15680..fbcb03bee 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -261,12 +261,13 @@ static int ipadb_load_global_config(struct ipadb_context *ipactx)
                             vals[i]->bv_val, vals[i]->bv_len) == 0) {
                 ipactx->config.disable_last_success = true;
                 continue;
-            }
-
-            if (strncasecmp("KDC:Disable Lockout",
-                            vals[i]->bv_val, vals[i]->bv_len) == 0) {
+            } else if (strncasecmp("KDC:Disable Lockout",
+                                   vals[i]->bv_val, vals[i]->bv_len) == 0) {
                 ipactx->config.disable_lockout = true;
                 continue;
+            } else if (strncasecmp("KDC:Disable Default Preauth for SPNs",
+                                   vals[i]->bv_val, vals[i]->bv_len) == 0) {
+                ipactx->config.disable_preauth_for_spns = true;
             }
         }
     }
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index a6f448150..1fdb409df 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -93,6 +93,7 @@ struct ipadb_global_config {
 	bool disable_lockout;
 	char **authz_data;
 	enum ipadb_user_auth user_auth;
+    bool disable_preauth_for_spns;
 };
 
 struct ipadb_context {
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index 629f81932..e32be856a 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -921,6 +921,25 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
     return 0;
 }
 
+static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
+                                        krb5_db_entry *entry)
+{
+    const struct ipadb_global_config *config;
+    struct ipadb_e_data *ied;
+
+    config = ipadb_get_global_config(ipactx);
+    if (config->disable_preauth_for_spns) {
+        ied = (struct ipadb_e_data *)entry->e_data;
+        if (ied && ied->ipa_user != true) {
+            /* not a user, assume SPN */
+            return 0;
+        }
+    }
+
+    /* By default require preauth for all principals */
+    return KRB5_KDB_REQUIRES_PRE_AUTH;
+}
+
 static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
                                              LDAPMessage *lentry,
                                              krb5_db_entry *entry,
@@ -991,7 +1010,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
                 if (ret == 0) {
                     entry->attributes |= result;
                 } else {
-                    entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH;
+                    entry->attributes |= maybe_require_preauth(ipactx, entry);
                 }
             }
         }
@@ -1007,7 +1026,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
             entry->max_renewable_life = 604800;
         }
         if (polmask & TKTFLAGS_BIT) {
-            entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH;
+            entry->attributes |= maybe_require_preauth(ipactx, entry);
         }
 
         kerr = 0;