Configure HTTPD to work via Gss-Proxy

https://fedorahosted.org/freeipa/ticket/4189 https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
author: Simo Sorce <simo@redhat.com> 2016-11-29 11:10:22 -0500
committer: Jan Cholasta <jcholast@redhat.com> 2017-02-15 07:13:37 +0100
commit: d2f5fc304f1938d23171ae330fa20b213ceed54e (patch)
tree: b77e05211632aef8e08cb3cd937d8498d9391ed5 /ipaserver
parent: b6741d81e187fc84177c12ef8ad900d3b5cda6a4 (diff)
download: freeipa-d2f5fc304f1938d23171ae330fa20b213ceed54e.tar.gz
freeipa-d2f5fc304f1938d23171ae330fa20b213ceed54e.tar.xz
freeipa-d2f5fc304f1938d23171ae330fa20b213ceed54e.zip
5 files changed, 29 insertions, 12 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index d07b32253..dddf097c0 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -129,10 +129,11 @@ class HTTPInstance(service.Service):
             api=api,
             service_prefix=u'HTTP',
             service_user=HTTPD_USER,
-            keytab=paths.IPA_KEYTAB)
+            keytab=paths.HTTP_KEYTAB)
 
         self.cert_nickname = cert_nickname
         self.ca_is_configured = True
+        self.keytab_user = constants.GSSPROXY_USER
 
     subject_base = ipautil.dn_attribute_property('_subject_base')
 
@@ -169,13 +170,15 @@ class HTTPInstance(service.Service):
         self.step("configuring httpd", self.__configure_http)
         self.step("setting up httpd keytab", self._request_service_keytab)
         self.step("retrieving anonymous keytab", self.request_anon_keytab)
+        self.step("configuring Gssproxy", self.configure_gssproxy)
         self.step("setting up ssl", self.__setup_ssl)
         if self.ca_is_configured:
             self.step("configure certmonger for renewals",
                       self.configure_certmonger_renewal_guard)
         self.step("importing CA certificates from LDAP", self.__import_ca_certs)
         self.step("publish CA cert", self.__publish_ca_cert)
-        self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
+        self.step("clean up any existing httpd ccaches",
+                  self.remove_httpd_ccaches)
         self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
         if not self.is_kdcproxy_configured():
             self.step("create KDC proxy user", create_kdcproxy_user)
@@ -205,13 +208,13 @@ class HTTPInstance(service.Service):
         except ipapython.errors.SetseboolError as e:
             self.print_msg(e.format_service_warning('web interface'))
 
-    def remove_httpd_ccache(self):
-        # Clean up existing ccache
+    def remove_httpd_ccaches(self):
+        # Clean up existing ccaches
         # Make sure that empty env is passed to avoid passing KRB5CCNAME from
         # current env
-        ipautil.run(
-            [paths.KDESTROY, '-A'], runas=self.service_user, raiseonerr=False,
-            env={})
+        installutils.remove_file(paths.HTTP_CCACHE)
+        for f in os.listdir(paths.IPA_CCACHES):
+            os.remove(os.path.join(paths.IPA_CCACHES, f))
 
     def __configure_http(self):
         self.update_httpd_service_ipa_conf()
@@ -235,6 +238,10 @@ class HTTPInstance(service.Service):
         http_fd.close()
         os.chmod(target_fname, 0o644)
 
+    def configure_gssproxy(self):
+        tasks.configure_http_gssproxy_conf()
+        services.knownservices.gssproxy.restart()
+
     def change_mod_nss_port_from_http(self):
         # mod_ssl enforces SSLEngine on for vhost on 443 even though
         # the listener is mod_nss. This then crashes the httpd as mod_nss
@@ -541,8 +548,7 @@ class HTTPInstance(service.Service):
                 root_logger.debug(error)
 
         installutils.remove_keytab(self.keytab)
-        installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD,
-                                   run_as=self.service_user)
+        installutils.remove_file(paths.HTTP_CCACHE)
 
         # Remove the configuration files we create
         installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 4ba61e529..b2f2e2a9f 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -141,7 +141,7 @@ class Backup(admintool.AdminTool):
         paths.OPENLDAP_LDAP_CONF,
         paths.LIMITS_CONF,
         paths.HTTPD_PASSWORD_CONF,
-        paths.IPA_KEYTAB,
+        paths.HTTP_KEYTAB,
         paths.HTTPD_IPA_KDCPROXY_CONF,
         paths.HTTPD_IPA_PKI_PROXY_CONF,
         paths.HTTPD_IPA_REWRITE_CONF,
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index 89cf9e609..d798654ea 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -413,7 +413,7 @@ class Restore(admintool.AdminTool):
                 self.log.info('Restarting SSSD')
                 sssd = services.service('sssd', api)
                 sssd.restart()
-                http.remove_httpd_ccache()
+                http.remove_httpd_ccaches()
         finally:
             try:
                 os.chdir(cwd)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 80abeba53..6919f521e 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1431,6 +1431,14 @@ def update_ipa_httpd_service_conf(http):
     http.update_httpd_service_ipa_conf()
 
 
+def update_http_keytab(http):
+    root_logger.info('[Moving HTTPD service keytab to gssproxy]')
+    if os.path.exists(paths.OLD_IPA_KEYTAB):
+        shutil.move(paths.OLD_IPA_KEYTAB, http.keytab)
+    pent = pwd.getpwnam(http.keytab_user)
+    os.chown(http.keytab, pent.pw_uid, pent.pw_gid)
+
+
 def ds_enable_sidgen_extdom_plugins(ds):
     """For AD trust agents, make sure we enable sidgen and extdom plugins
     """
@@ -1629,6 +1637,8 @@ def upgrade_configuration():
     update_mod_nss_cipher_suite(http)
     fix_trust_flags()
     export_kra_agent_pem()
+    update_http_keytab(http)
+    http.configure_gssproxy()
     http.start()
 
     uninstall_selfsign(ds, http)
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index fe6defc9c..b9d1ffc63 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -166,6 +166,7 @@ class Service(object):
         self.dercert = None
         self.api = api
         self.service_user = service_user
+        self.keytab_user = service_user
         self.dm_password = None  # silence pylint
         self.promote = False
 
@@ -584,7 +585,7 @@ class Service(object):
         self._add_service_principal()
         self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
 
-        pent = pwd.getpwnam(self.service_user)
+        pent = pwd.getpwnam(self.keytab_user)
         os.chown(self.keytab, pent.pw_uid, pent.pw_gid)
author	Simo Sorce <simo@redhat.com>	2016-11-29 11:10:22 -0500
committer	Jan Cholasta <jcholast@redhat.com>	2017-02-15 07:13:37 +0100
commit	d2f5fc304f1938d23171ae330fa20b213ceed54e (patch)
tree	b77e05211632aef8e08cb3cd937d8498d9391ed5 /ipaserver
parent	b6741d81e187fc84177c12ef8ad900d3b5cda6a4 (diff)
download	freeipa-d2f5fc304f1938d23171ae330fa20b213ceed54e.tar.gz freeipa-d2f5fc304f1938d23171ae330fa20b213ceed54e.tar.xz freeipa-d2f5fc304f1938d23171ae330fa20b213ceed54e.zip