Disable User's ability to use the setkeytab exop.

Users can still obtain a keytab for themselves using the getkeytab exop
which does not circumvent password policy checks.

Users are disallowed from using setkeytab by default in new installations
but not in existing installations (no forced upgrade).

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5485

7 files changed, 27 insertions, 5 deletions

diff --git a/API.txt b/API.txt
index 8f166eb4a..0231ff758 100644
--- a/API.txt
+++ b/API.txt
@@ -766,7 +766,7 @@ args: 0,25,3
 option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('delattr*', cli_name='delattr', exclude='webui')
-option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'DisableSetKeytab', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
+option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'DisableSetKeytab', u'DisableUserSetKeytab', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
 option: Str('ipadefaultemaildomain', attribute=True, autofill=False, cli_name='emaildomain', multivalue=False, required=False)
 option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False)
 option: Str('ipadefaultprimarygroup', attribute=True, autofill=False, cli_name='defaultgroup', multivalue=False, required=False)
diff --git a/VERSION b/VERSION
index b7f261b5c..d6c489fff 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=161
-# Last change: pvoborni - topologysuffix: change iparepltopomanagedsuffix type
+IPA_API_VERSION_MINOR=162
+# Last change: simo - Disable User's ability to use the setkeytab exop.
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
index f79c0b4a6..9a5617674 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
@@ -233,6 +233,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
     /* get the ipa etc/ipaConfig entry */
     config->allow_nt_hash = false;
     config->disable_setkeytab = false;
+    config->disable_user_setkeytab = false;
     ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL);
     if (ret != LDAP_SUCCESS) {
         LOG_FATAL("No config Entry?\n");
@@ -247,6 +248,9 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void)
             } else if (strcasecmp(tmparray[i], "DisableSetKeytab") == 0) {
                 config->disable_setkeytab = true;
                 continue;
+            } else if (strcasecmp(tmparray[i], "DisableUserSetKeytab") == 0) {
+                config->disable_user_setkeytab = true;
+                continue;
             }
         }
         if (tmparray) slapi_ch_array_free(tmparray);
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index aa45ed3e7..a910625ce 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -661,7 +661,7 @@ static Slapi_Entry *get_entry_by_principal(const char *principal)
     Slapi_PBlock *pb = NULL;
     char *attrlist[] = { "krbPrincipalKey", "krbLastPwdChange",
                          "userPassword", "krbPrincipalName",
-                         "enrolledBy", NULL };
+                         "enrolledBy", "objectClass", NULL };
     Slapi_Entry **es = NULL;
     int res, ret, i;
     Slapi_Entry *entry = NULL;
@@ -1217,6 +1217,22 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
         goto free_and_return;
     }
 
+    /* Check if setkeytab is disabled for users */
+    if (krbcfg->disable_user_setkeytab) {
+        Slapi_Value *val;
+
+        val = slapi_value_new_string("person");
+        rc = slapi_entry_attr_has_syntax_value(targetEntry,
+                                               "objectClass", val);
+        slapi_value_free(&val);
+
+        if (rc == 1) {
+            errMesg = "Operation administratively disabled.\n";
+            rc = LDAP_UNWILLING_TO_PERFORM;
+            goto free_and_return;
+        }
+    }
+
     /* Accesseck strategy:
      * If the user has WRITE access, a new keytab can be set on the entry.
      * If not, then we fail immediately with insufficient access. This
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
index a6a85d78d..363669496 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
@@ -110,6 +110,7 @@ struct ipapwd_krbcfg {
     int num_passsync_mgrs;
     bool allow_nt_hash;
     bool disable_setkeytab;
+    bool disable_user_setkeytab;
 };
 
 int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e,
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 628a8e2e0..cd4599e5e 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -398,6 +398,7 @@ ipaUserObjectClasses: ipasshuser
 ipaDefaultEmailDomain: $DOMAIN
 ipaMigrationEnabled: FALSE
 ipaConfigString: AllowNThash
+ipaConfigString: DisableUserSetKeytab
 ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
 ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
 
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index ce7966bf5..a6b4d4349 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -201,7 +201,7 @@ class config(LDAPObject):
             label=_('Password plugin features'),
             doc=_('Extra hashes to generate in password plug-in'),
             values=(u'AllowNThash',
-                    u'DisableSetKeytab',
+                    u'DisableSetKeytab', u'DisableUserSetKeytab',
                     u'KDC:Disable Last Success', u'KDC:Disable Lockout'),
             csv=True,
         ),