diff options
-rw-r--r-- | freeipa.spec.in | 3 | ||||
-rw-r--r-- | init/systemd/ipa.service.in | 1 | ||||
-rw-r--r-- | install/Makefile.am | 1 | ||||
-rw-r--r-- | install/conf/ipa.conf | 2 | ||||
-rw-r--r-- | install/share/Makefile.am | 1 | ||||
-rw-r--r-- | install/share/gssproxy.conf.template | 8 | ||||
-rw-r--r-- | install/share/ipa-httpd.conf.template | 2 | ||||
-rw-r--r-- | ipaplatform/base/constants.py | 1 | ||||
-rw-r--r-- | ipaplatform/base/paths.py | 6 | ||||
-rw-r--r-- | ipaplatform/base/services.py | 2 | ||||
-rw-r--r-- | ipaplatform/redhat/services.py | 1 | ||||
-rw-r--r-- | ipaplatform/redhat/tasks.py | 15 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 24 | ||||
-rw-r--r-- | ipaserver/install/ipa_backup.py | 2 | ||||
-rw-r--r-- | ipaserver/install/ipa_restore.py | 2 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 10 | ||||
-rw-r--r-- | ipaserver/install/service.py | 3 | ||||
-rw-r--r-- | ipatests/test_integration/tasks.py | 2 | ||||
-rw-r--r-- | ipatests/test_integration/test_caless.py | 4 | ||||
-rw-r--r-- | ipatests/test_integration/test_trust.py | 4 |
20 files changed, 70 insertions, 24 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 8a050cc5f..a65b9bcf1 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -259,6 +259,8 @@ Requires: systemd-python Requires: %{etc_systemd_dir} Requires: gzip Requires: oddjob +# Require 0.6.0 for the new delegation access control features +Requires: gssproxy >= 0.6.0 Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server @@ -1271,6 +1273,7 @@ fi %{_usr}/share/ipa/updates/* %dir %{_localstatedir}/lib/ipa %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca diff --git a/init/systemd/ipa.service.in b/init/systemd/ipa.service.in index 9acd587e5..4c924d5ed 100644 --- a/init/systemd/ipa.service.in +++ b/init/systemd/ipa.service.in @@ -1,6 +1,7 @@ [Unit] Description=Identity, Policy, Audit Requires=network.target +Requires=gssproxy.service After=network.target [Service] diff --git a/install/Makefile.am b/install/Makefile.am index 845e751d6..f895bccd2 100644 --- a/install/Makefile.am +++ b/install/Makefile.am @@ -21,6 +21,7 @@ SUBDIRS = \ install-exec-local: $(INSTALL) -d -m 700 $(DESTDIR)$(IPA_SYSCONF_DIR)/custodia $(INSTALL) -d -m 700 $(DESTDIR)$(localstatedir)/lib/ipa/backup + $(INSTALL) -d -m 700 $(DESTDIR)$(localstatedir)/lib/ipa/gssproxy $(INSTALL) -d -m 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore $(INSTALL) -d -m 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade $(INSTALL) -d -m 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index ce2ea74a1..c1b10d035 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -69,8 +69,6 @@ WSGIScriptReloading Off SessionHeader IPASESSION GssapiSessionKey file:/etc/httpd/alias/ipasession.key - GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab - GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/ipa/ccaches GssapiUseS4U2Proxy on GssapiAllowedMech krb5 diff --git a/install/share/Makefile.am b/install/share/Makefile.am index bb09c9882..c58e1d2dd 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -90,6 +90,7 @@ dist_app_DATA = \ ipa-httpd.conf.template \ gssapi.login \ ipa.conf.tmpfiles \ + gssproxy.conf.template \ $(NULL) kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template new file mode 100644 index 000000000..cb5775de6 --- /dev/null +++ b/install/share/gssproxy.conf.template @@ -0,0 +1,8 @@ +#Installed and maintained by ipa update tools, please do not modify +[service/ipa-httpd] + mechs = krb5 + cred_store = keytab:$HTTP_KEYTAB + cred_store = client_keytab:$HTTP_KEYTAB + allow_protocol_transition = true + cred_usage = both + euid = $HTTPD_USER diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template index a907d73cc..8822066ba 100644 --- a/install/share/ipa-httpd.conf.template +++ b/install/share/ipa-httpd.conf.template @@ -1,7 +1,7 @@ # Do not edit. Created by IPA installer. [Service] -Environment=KRB5CCNAME=$KRB5CC_HTTPD +Environment=GSS_USE_PROXY=yes Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG ExecStartPre=$IPA_HTTPD_KDCPROXY ExecStopPost=$POST diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py index 3e1c4c6f7..3984147b6 100644 --- a/ipaplatform/base/constants.py +++ b/ipaplatform/base/constants.py @@ -11,6 +11,7 @@ class BaseConstantsNamespace(object): DS_USER = 'dirsrv' DS_GROUP = 'dirsrv' HTTPD_USER = "apache" + GSSPROXY_USER = "root" IPA_DNS_PACKAGE_NAME = "freeipa-server-dns" KDCPROXY_USER = "kdcproxy" NAMED_USER = "named" diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 374a1987b..28db7f1fc 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -49,7 +49,8 @@ class BasePathNamespace(object): HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf" HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf" HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf" - IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab" + OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab" + HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab" ANON_KEYTAB = "/var/lib/ipa/api/anon.keytab" HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf" IDMAPD_CONF = "/etc/idmapd.conf" @@ -328,7 +329,7 @@ class BasePathNamespace(object): IPA_ODS_EXPORTER_CCACHE = "/var/opendnssec/tmp/ipa-ods-exporter.ccache" VAR_RUN_DIRSRV_DIR = "/var/run/dirsrv" IPA_CCACHES = "/var/run/ipa/ccaches" - KRB5CC_HTTPD = "/var/run/ipa/ccaches/http.ccache" + HTTP_CCACHE = "/var/lib/ipa/gssproxy/http.ccache" IPA_RENEWAL_LOCK = "/var/run/ipa/renewal.lock" SVC_LIST_FILE = "/var/run/ipa/services.list" KRB5CC_SAMBA = "/var/run/samba/krb5cc_samba" @@ -349,5 +350,6 @@ class BasePathNamespace(object): IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log' IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab' EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d' + GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf' path_namespace = BasePathNamespace diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py index 9c9a5ae78..8149ff1ef 100644 --- a/ipaplatform/base/services.py +++ b/ipaplatform/base/services.py @@ -42,7 +42,7 @@ wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc', 'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap', 'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd', 'rpcidmapd', 'pki_tomcatd', 'chronyd', 'domainname', - 'named', 'ods_enforcerd', 'ods_signerd'] + 'named', 'ods_enforcerd', 'ods_signerd', 'gssproxy'] # The common ports for these services. This is used to wait for the # service to become available. diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py index cc5d67477..5d8e1ecaa 100644 --- a/ipaplatform/redhat/services.py +++ b/ipaplatform/redhat/services.py @@ -68,6 +68,7 @@ redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service' redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd'] redhat_system_units['ods-signerd'] = 'ods-signerd.service' redhat_system_units['ods_signerd'] = redhat_system_units['ods-signerd'] +redhat_system_units['gssproxy'] = 'gssproxy.service' # Service classes that implement Red Hat OS family-specific behaviour diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 1191acd07..c9b1c49aa 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -451,7 +451,6 @@ class RedHatTaskNamespace(BaseTaskNamespace): os.path.join(paths.USR_SHARE_IPA_DIR, 'ipa-httpd.conf.template'), paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, dict( - KRB5CC_HTTPD=paths.KRB5CC_HTTPD, KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG, IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY, POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY) @@ -461,6 +460,20 @@ class RedHatTaskNamespace(BaseTaskNamespace): os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644) self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF) + def configure_http_gssproxy_conf(self): + ipautil.copy_template_file( + os.path.join(paths.USR_SHARE_IPA_DIR, 'gssproxy.conf.template'), + paths.GSSPROXY_CONF, + dict( + HTTP_KEYTAB=paths.HTTP_KEYTAB, + HTTP_CCACHE=paths.HTTP_CCACHE, + HTTPD_USER=constants.HTTPD_USER + ) + ) + + os.chmod(paths.GSSPROXY_CONF, 0o600) + self.restore_context(paths.GSSPROXY_CONF) + def remove_httpd_service_ipa_conf(self): """Remove systemd config for httpd service of IPA""" try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index d07b32253..dddf097c0 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -129,10 +129,11 @@ class HTTPInstance(service.Service): api=api, service_prefix=u'HTTP', service_user=HTTPD_USER, - keytab=paths.IPA_KEYTAB) + keytab=paths.HTTP_KEYTAB) self.cert_nickname = cert_nickname self.ca_is_configured = True + self.keytab_user = constants.GSSPROXY_USER subject_base = ipautil.dn_attribute_property('_subject_base') @@ -169,13 +170,15 @@ class HTTPInstance(service.Service): self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self._request_service_keytab) self.step("retrieving anonymous keytab", self.request_anon_keytab) + self.step("configuring Gssproxy", self.configure_gssproxy) self.step("setting up ssl", self.__setup_ssl) if self.ca_is_configured: self.step("configure certmonger for renewals", self.configure_certmonger_renewal_guard) self.step("importing CA certificates from LDAP", self.__import_ca_certs) self.step("publish CA cert", self.__publish_ca_cert) - self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) + self.step("clean up any existing httpd ccaches", + self.remove_httpd_ccaches) self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) if not self.is_kdcproxy_configured(): self.step("create KDC proxy user", create_kdcproxy_user) @@ -205,13 +208,13 @@ class HTTPInstance(service.Service): except ipapython.errors.SetseboolError as e: self.print_msg(e.format_service_warning('web interface')) - def remove_httpd_ccache(self): - # Clean up existing ccache + def remove_httpd_ccaches(self): + # Clean up existing ccaches # Make sure that empty env is passed to avoid passing KRB5CCNAME from # current env - ipautil.run( - [paths.KDESTROY, '-A'], runas=self.service_user, raiseonerr=False, - env={}) + installutils.remove_file(paths.HTTP_CCACHE) + for f in os.listdir(paths.IPA_CCACHES): + os.remove(os.path.join(paths.IPA_CCACHES, f)) def __configure_http(self): self.update_httpd_service_ipa_conf() @@ -235,6 +238,10 @@ class HTTPInstance(service.Service): http_fd.close() os.chmod(target_fname, 0o644) + def configure_gssproxy(self): + tasks.configure_http_gssproxy_conf() + services.knownservices.gssproxy.restart() + def change_mod_nss_port_from_http(self): # mod_ssl enforces SSLEngine on for vhost on 443 even though # the listener is mod_nss. This then crashes the httpd as mod_nss @@ -541,8 +548,7 @@ class HTTPInstance(service.Service): root_logger.debug(error) installutils.remove_keytab(self.keytab) - installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD, - run_as=self.service_user) + installutils.remove_file(paths.HTTP_CCACHE) # Remove the configuration files we create installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF) diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index 4ba61e529..b2f2e2a9f 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -141,7 +141,7 @@ class Backup(admintool.AdminTool): paths.OPENLDAP_LDAP_CONF, paths.LIMITS_CONF, paths.HTTPD_PASSWORD_CONF, - paths.IPA_KEYTAB, + paths.HTTP_KEYTAB, paths.HTTPD_IPA_KDCPROXY_CONF, paths.HTTPD_IPA_PKI_PROXY_CONF, paths.HTTPD_IPA_REWRITE_CONF, diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 89cf9e609..d798654ea 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -413,7 +413,7 @@ class Restore(admintool.AdminTool): self.log.info('Restarting SSSD') sssd = services.service('sssd', api) sssd.restart() - http.remove_httpd_ccache() + http.remove_httpd_ccaches() finally: try: os.chdir(cwd) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 80abeba53..6919f521e 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1431,6 +1431,14 @@ def update_ipa_httpd_service_conf(http): http.update_httpd_service_ipa_conf() +def update_http_keytab(http): + root_logger.info('[Moving HTTPD service keytab to gssproxy]') + if os.path.exists(paths.OLD_IPA_KEYTAB): + shutil.move(paths.OLD_IPA_KEYTAB, http.keytab) + pent = pwd.getpwnam(http.keytab_user) + os.chown(http.keytab, pent.pw_uid, pent.pw_gid) + + def ds_enable_sidgen_extdom_plugins(ds): """For AD trust agents, make sure we enable sidgen and extdom plugins """ @@ -1629,6 +1637,8 @@ def upgrade_configuration(): update_mod_nss_cipher_suite(http) fix_trust_flags() export_kra_agent_pem() + update_http_keytab(http) + http.configure_gssproxy() http.start() uninstall_selfsign(ds, http) diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index fe6defc9c..b9d1ffc63 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -166,6 +166,7 @@ class Service(object): self.dercert = None self.api = api self.service_user = service_user + self.keytab_user = service_user self.dm_password = None # silence pylint self.promote = False @@ -584,7 +585,7 @@ class Service(object): self._add_service_principal() self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal) - pent = pwd.getpwnam(self.service_user) + pent = pwd.getpwnam(self.keytab_user) os.chown(self.keytab, pent.pw_uid, pent.pw_gid) diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py index f6fa45140..95234506d 100644 --- a/ipatests/test_integration/tasks.py +++ b/ipatests/test_integration/tasks.py @@ -474,7 +474,7 @@ def establish_trust_with_ad(master, ad_domain, extra_args=()): """ # Force KDC to reload MS-PAC info by trying to get TGT for HTTP - master.run_command(['kinit', '-kt', paths.IPA_KEYTAB, + master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB, 'HTTP/%s' % master.hostname]) master.run_command(['systemctl', 'restart', 'krb5kdc.service']) master.run_command(['kdestroy', '-A']) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index e47984cf7..c0f4080a9 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -1169,7 +1169,7 @@ class TestIPACommands(CALessBase): '--certificate', self.client_pem]) self.master.run_command(['ipa-getkeytab', '-s', self.master.hostname, '-p' "host/%s" % self.test_hostname, - '-k', paths.IPA_KEYTAB]) + '-k', paths.HTTP_KEYTAB]) try: yield finally: @@ -1186,7 +1186,7 @@ class TestIPACommands(CALessBase): self.master.run_command(['ipa-getkeytab', '-s', self.master.hostname, '-p', self.test_service, - '-k', paths.IPA_KEYTAB]) + '-k', paths.HTTP_KEYTAB]) yield def test_service_mod_doesnt_revoke(self): diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py index 06bc4935b..b32e0ab97 100644 --- a/ipatests/test_integration/test_trust.py +++ b/ipatests/test_integration/test_trust.py @@ -334,7 +334,7 @@ class TestNonexternalTrustWithSubdomain(ADTrustSubdomainBase): """ def test_establish_trust(self): """ Tests establishing non-external trust with Active Directory """ - self.master.run_command(['kinit', '-kt', paths.IPA_KEYTAB, + self.master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB, 'HTTP/%s' % self.master.hostname]) self.master.run_command(['systemctl', 'restart', 'krb5kdc.service']) self.master.run_command(['kdestroy', '-A']) @@ -401,7 +401,7 @@ class TestNonexternalTrustWithTreedomain(ADTrustTreedomainBase): """ def test_establish_trust(self): """ Tests establishing non-external trust with Active Directory """ - self.master.run_command(['kinit', '-kt', paths.IPA_KEYTAB, + self.master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB, 'HTTP/%s' % self.master.hostname]) self.master.run_command(['systemctl', 'restart', 'krb5kdc.service']) self.master.run_command(['kdestroy', '-A']) |