diff options
-rw-r--r-- | API.txt | 2 | ||||
-rw-r--r-- | VERSION | 4 | ||||
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb.c | 9 | ||||
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb.h | 1 | ||||
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_principals.c | 23 | ||||
-rw-r--r-- | ipalib/plugins/config.py | 3 |
6 files changed, 32 insertions, 10 deletions
@@ -766,7 +766,7 @@ args: 0,25,3 option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('delattr*', cli_name='delattr', exclude='webui') -option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout')) +option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs')) option: Str('ipadefaultemaildomain', attribute=True, autofill=False, cli_name='emaildomain', multivalue=False, required=False) option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False) option: Str('ipadefaultprimarygroup', attribute=True, autofill=False, cli_name='defaultgroup', multivalue=False, required=False) @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=163 -# Last change: jcholast - replica install: add remote connection check over API +IPA_API_VERSION_MINOR=164 +# Last change: simo - add optional string to disable preauth for SPNs diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c index 3d5e15680..fbcb03bee 100644 --- a/daemons/ipa-kdb/ipa_kdb.c +++ b/daemons/ipa-kdb/ipa_kdb.c @@ -261,12 +261,13 @@ static int ipadb_load_global_config(struct ipadb_context *ipactx) vals[i]->bv_val, vals[i]->bv_len) == 0) { ipactx->config.disable_last_success = true; continue; - } - - if (strncasecmp("KDC:Disable Lockout", - vals[i]->bv_val, vals[i]->bv_len) == 0) { + } else if (strncasecmp("KDC:Disable Lockout", + vals[i]->bv_val, vals[i]->bv_len) == 0) { ipactx->config.disable_lockout = true; continue; + } else if (strncasecmp("KDC:Disable Default Preauth for SPNs", + vals[i]->bv_val, vals[i]->bv_len) == 0) { + ipactx->config.disable_preauth_for_spns = true; } } } diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h index a6f448150..1fdb409df 100644 --- a/daemons/ipa-kdb/ipa_kdb.h +++ b/daemons/ipa-kdb/ipa_kdb.h @@ -93,6 +93,7 @@ struct ipadb_global_config { bool disable_lockout; char **authz_data; enum ipadb_user_auth user_auth; + bool disable_preauth_for_spns; }; struct ipadb_context { diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 629f81932..e32be856a 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -921,6 +921,25 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext, return 0; } +static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx, + krb5_db_entry *entry) +{ + const struct ipadb_global_config *config; + struct ipadb_e_data *ied; + + config = ipadb_get_global_config(ipactx); + if (config->disable_preauth_for_spns) { + ied = (struct ipadb_e_data *)entry->e_data; + if (ied && ied->ipa_user != true) { + /* not a user, assume SPN */ + return 0; + } + } + + /* By default require preauth for all principals */ + return KRB5_KDB_REQUIRES_PRE_AUTH; +} + static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext, LDAPMessage *lentry, krb5_db_entry *entry, @@ -991,7 +1010,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext, if (ret == 0) { entry->attributes |= result; } else { - entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH; + entry->attributes |= maybe_require_preauth(ipactx, entry); } } } @@ -1007,7 +1026,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext, entry->max_renewable_life = 604800; } if (polmask & TKTFLAGS_BIT) { - entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH; + entry->attributes |= maybe_require_preauth(ipactx, entry); } kerr = 0; diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 4c8c2dd44..848b41e7b 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -205,7 +205,8 @@ class config(LDAPObject): label=_('Password plugin features'), doc=_('Extra hashes to generate in password plug-in'), values=(u'AllowNThash', - u'KDC:Disable Last Success', u'KDC:Disable Lockout'), + u'KDC:Disable Last Success', u'KDC:Disable Lockout', + u'KDC:Disable Default Preauth for SPNs'), csv=True, ), Str('ipaselinuxusermaporder', |