[Freeipa-devel] [PATCH] client: include the directory with domain-realm mappings in krb5.conf
Rob Crittenden
rcritten at redhat.com
Mon Nov 5 19:34:35 UTC 2012
Martin Kosek wrote:
> On 10/31/2012 11:00 AM, Jakub Hrozek wrote:
>> On Mon, Oct 22, 2012 at 02:14:00PM -0400, Simo Sorce wrote:
>>> On Mon, 2012-10-22 at 17:15 +0200, Martin Kosek wrote:
>>>> On 10/08/2012 08:27 PM, Rob Crittenden wrote:
>>>>> Jakub Hrozek wrote:
>>>>>> On Fri, Aug 17, 2012 at 12:20:27PM -0400, Simo Sorce wrote:
>>>>>>>
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> the attached patches add the directory the SSSD writes domain-realm
>>>>>>>> mappings as includedir to krb5.conf when installing the client.
>>>>>>>>
>>>>>>>> [PATCH 1/3] ipachangeconf: allow specifying non-default delimeter for
>>>>>>>> options
>>>>>>>> ipachangeconf only allows one delimeter between keys and values. This
>>>>>>>> patch adds the possibility of also specifying "delim" in the option
>>>>>>>> dictionary to override the default delimeter.
>>>>>>>>
>>>>>>>> On a slightly-unrelated note, we really should think about adopting
>>>>>>>> Augeas. Changing configuration with home-grown scripts is getting
>>>>>>>> tricky.
>>>>>>>>
>>>>>>>> [PATCH 2/3] Specify includedir in krb5.conf on new installs
>>>>>>>> This patch utilizes the new functionality from the previous patch to
>>>>>>>> add
>>>>>>>> the includedir on top of the krb5.conf file
>>>>>>>>
>>>>>>>> [PATCH 3/3] Add the includedir to krb5.conf on upgrades
>>>>>>>> This patch is completely untested and I'm only posting it to get
>>>>>>>> opinions. At first I was going to use an upgrade script in %post but
>>>>>>>> then I thought it would be overengineering when all we want to do is
>>>>>>>> prepend one line.. Would a simple munging like this be acceptable or
>>>>>>>> shall I write a full script?
>>>>>>>
>>>>>>> NACK, using a scriptlet is fine, but not the way you did, as it has a huge
>>>>>>> race condition where krb5.conf exists and has only one line in it (the
>>>>>>> include line).
>>>>>>>
>>>>>>> You should first create the new file: echo "include ..." > /etc/krb.conf.ipanew
>>>>>>> Then cat the contents of the existing file in i:t cat /etc/krb.conf >>
>>>>>>> /etc/krb.conf.ipanew
>>>>>>> And finally atomically rename it: mv /etc/krb.conf.ipanew /etc/krb.conf
>>>>>>>
>>>>>>> This method is also safe wrt something killing the yum process ...
>>>>>>>
>>>>>>> Simo.
>>>>>>
>>>>>> I'm attaching a new revision of the patches not even two months after
>>>>>> the original nack.
>>>>>>
>>>>>> I also think it might be nice to have a more general way of upgrading
>>>>>> the client config so I filed
>>>>>> https://fedorahosted.org/freeipa/ticket/3149
>>>>>
>>>>> I don't think grepping for a string is an effective way to determine if the
>>>>> client has been configured. Someone could have removed that line.
>>>>>
>>>>> I'd prefer using /var/lib/ipa-client/sysrestore/sysrestore.index. If it exists
>>>>> and has more than 2 lines in it ([files] + one other file) then it is safe to
>>>>> say the client is configured, or at least partially configured.
>>>>>
>>>>> rob
>>>>>
>>>>
>>>> I just found one more issue. What if ipa-client-install is run with --no-sssd
>>>> option? In that case I assume we should not include the SSSD's krb5.include.d,
>>>> right? The same would also appy for upgrades, we would need to check if client
>>>> was actually configured with SSSD before mangling their krb5.conf.
>>>
>>> Yeah that's right, we should have all sssd related changes under a
>>> conditional that is true only when sssd is enabled.
>>>
>>> Simo.
>>
>> OK, new patches are attached. In new installs, the includedir is only
>> added when options.sssd is true. During upgrades, I checked for
>> sssd.conf's existence, I'm not sure if there's any other way to check if
>> the client was configured with sssd?
>
> Hello Jakub, thanks for these patches. I think that checking if /etc/sssd.conf
> exists as actually not so bad way to test if it was configured. Anyway, I did
> few tests on server and client but I still see few issues:
>
> 1) SELinux context of krb5.conf is not as expected (but I am not sure what real
> issue could that cause):
>
> # restorecon -FvvR /etc/krb5.conf
> restorecon reset /etc/krb5.conf context
> unconfined_u:object_r:etc_t:s0->system_u:object_r:krb5_conf_t:s0
>
> 2) I can no longer kinit on IPA server after applying your patch
> # rpm -q sssd
> sssd-1.9.90-0.20121030T1436Zgitf46bf56.fc17.x86_64
> # rpm -Uvh --force freeipa-*.rpm
> # head -n 5 /etc/krb5.conf
> includedir /var/lib/sss/pubconf/krb5.include.d/
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> # KRB5_TRACE=/dev/stdout kinit admin
> [21059] 1351684052.658548: Getting initial credentials for
> admin at IDM.LAB.BOS.REDHAT.COM
> [21059] 1351684052.665269: Sending request (200 bytes) to IDM.LAB.BOS.REDHAT.COM
> [21059] 1351684052.665989: Resolving hostname vm-044.idm.lab.bos.redhat.com
> [21059] 1351684052.667511: Sending initial UDP request to dgram 10.16.78.44:88
> [21059] 1351684052.672514: Received answer from dgram 10.16.78.44:88
> [21059] 1351684052.672653: Response was from master KDC
> [21059] 1351684052.672751: Received error from KDC: -1765328370/KDC has no
> support for encryption type
> kinit: KDC has no support for encryption type while getting initial credentials
>
>
> Now when I comment includedir:
> # head -n 5 /etc/krb5.conf
> # kinit admin
> Password for admin at IDM.LAB.BOS.REDHAT.COM:
> # echo $?
> 0
>
> When I upgraded client machine (without krb5kdc), kinit worked fine. Does that
> mean that krb5.conf can only be changed on client machines?
>
> 3) We should also add Requires on sssd >= 1.9.0 in FreeIPA spec file to pick up
> the new feature. Otherwise I just get an error on client:
>
> # kinit admin
> kinit: Included profile directory could not be read while initializing Kerberos
> 5 library
>
> 4) (Optional) I think we can make the process of checking if IPA is configured
> easier and follow a similar way that Sumit did:
> https://fedorahosted.org/freeipa/changeset/fe66fbe637132ac5eb22eea388e2261f33497bf5/
>
> This section:
>
> +restore=0
> +test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l
> '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
> +
> +if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then
> + if ! egrep -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf
> 2>/dev/null ; then
>
> could then be replaced by something like this:
>
> python -c "import sys; from ipapython import ipautil; sys.exit(0 if
> ipapython.is_ipaclient_configured() else 1);" > /dev/null 2>&1
> if [ $? -eq 0 ]; then
>
> I am not saying you need to do this step, this can be done later by us.
>
> Martin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
I'm not sure how you ran into problems on master because krb5.conf
wasn't being set up by default on IPA masters (I had to update the
krb5.conf.template to get that done).
Once updated we get a slew of AVCs:
type=SYSCALL msg=audit(1352143784.563:2184): arch=c000003e syscall=257
success=yes exit=4 a0=ffffffffffffff9c a1=7f485970dc0b a2=90800 a3=0
items=0 ppid=1 pid=5307 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc"
exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(1352143784.563:2184): avc: denied { open } for
pid=5307 comm="krb5kdc" path="/var/lib/sss/pubconf/krb5.include.d"
dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0
tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143784.563:2184): avc: denied { read } for
pid=5307 comm="krb5kdc" name="krb5.include.d" dev="sda3" ino=130
scontext=system_u:system_r:krb5kdc_t:s0
tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143784.563:2184): avc: denied { search } for
pid=5307 comm="krb5kdc" name="pubconf" dev="sda3" ino=129
scontext=system_u:system_r:krb5kdc_t:s0
tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143784.781:2186): avc: denied { open } for
pid=5320 comm="kadmind" path="/var/lib/sss/pubconf/krb5.include.d"
dev="sda3" ino=130 scontext=system_u:system_r:kadmind_t:s0
tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143784.781:2186): avc: denied { read } for
pid=5320 comm="kadmind" name="krb5.include.d" dev="sda3" ino=130
scontext=system_u:system_r:kadmind_t:s0
tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143816.001:2192): avc: denied { read } for
pid=5428 comm="httpd" name="krb5.include.d" dev="sda3" ino=130
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143851.870:2200): avc: denied { read } for
pid=5489 comm="ns-slapd" name="krb5.include.d" dev="sda3" ino=130
scontext=system_u:system_r:dirsrv_t:s0
tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=SYSCALL msg=audit(1352143852.271:2201): arch=c000003e syscall=233
success=yes exit=0 a0=5 a1=2 a2=6 a3=7fff416fea80 items=0 ppid=1
pid=5308 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc"
subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(1352143852.271:2201): avc: denied { block_suspend }
for pid=5308 comm="krb5kdc" capability=36
scontext=system_u:system_r:krb5kdc_t:s0
tcontext=system_u:system_r:krb5kdc_t:s0 tclass=capability2
type=SYSCALL msg=audit(1352143852.294:2204): arch=c000003e syscall=257
success=yes exit=4 a0=ffffffffffffff9c a1=7ff22c96cc0b a2=90800 a3=0
items=0 ppid=1 pid=5573 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc"
exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(1352143852.294:2204): avc: denied { open } for
pid=5573 comm="krb5kdc" path="/var/lib/sss/pubconf/krb5.include.d"
dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0
tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143852.294:2204): avc: denied { read } for
pid=5573 comm="krb5kdc" name="krb5.include.d" dev="sda3" ino=130
scontext=system_u:system_r:krb5kdc_t:s0
tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143852.294:2204): avc: denied { search } for
pid=5573 comm="krb5kdc" name="pubconf" dev="sda3" ino=129
scontext=system_u:system_r:krb5kdc_t:s0
tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143855.199:2210): avc: denied { read } for
pid=5516 comm="ns-slapd" name="krb5.include.d" dev="sda3" ino=130
scontext=system_u:system_r:dirsrv_t:s0
tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143854.002:2208): avc: denied { read } for
pid=5583 comm="httpd" name="krb5.include.d" dev="sda3" ino=130
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=SYSCALL msg=audit(1352143863.255:2218): arch=c000003e syscall=233
success=yes exit=0 a0=5 a1=2 a2=6 a3=7fff40924bf0 items=0 ppid=1
pid=5574 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc" exe="/usr/sbin/krb5kdc"
subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(1352143863.255:2218): avc: denied { block_suspend }
for pid=5574 comm="krb5kdc" capability=36
scontext=system_u:system_r:krb5kdc_t:s0
tcontext=system_u:system_r:krb5kdc_t:s0 tclass=capability2
type=SYSCALL msg=audit(1352143866.074:2229): arch=c000003e syscall=257
success=yes exit=4 a0=ffffffffffffff9c a1=7f38ce963c0b a2=90800 a3=0
items=0 ppid=1 pid=5821 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="krb5kdc"
exe="/usr/sbin/krb5kdc" subj=system_u:system_r:krb5kdc_t:s0 key=(null)
type=AVC msg=audit(1352143866.074:2229): avc: denied { open } for
pid=5821 comm="krb5kdc" path="/var/lib/sss/pubconf/krb5.include.d"
dev="sda3" ino=130 scontext=system_u:system_r:krb5kdc_t:s0
tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143866.074:2229): avc: denied { read } for
pid=5821 comm="krb5kdc" name="krb5.include.d" dev="sda3" ino=130
scontext=system_u:system_r:krb5kdc_t:s0
tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
type=AVC msg=audit(1352143866.074:2229): avc: denied { search } for
pid=5821 comm="krb5kdc" name="pubconf" dev="sda3" ino=129
scontext=system_u:system_r:krb5kdc_t:s0
tcontext=system_u:object_r:sssd_public_t:s0 tclass=dir
rob
More information about the Freeipa-devel
mailing list