[Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs

Tue Jul 9 20:39:23 UTC 2013

On Tue, Jul 09, 2013 at 02:12:33PM +0300, Alexander Bokovoy wrote:
> On Tue, 09 Jul 2013, Jakub Hrozek wrote:
> >On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote:
> >>On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote:
> >>> On Mon, 01 Jul 2013, Sumit Bose wrote:
> >>> >Hi,
> >>> >
> >>> >this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only
> >>> >to allow SSSD running on a FreeIPA server to access the AD LDAP server.
> >>> >In the ticket a more generic solution is described but since there is no
> >>> >other use case so far I think this patch is sufficient for the time
> >>> >being.
> >>> >
> >>> >bye,
> >>> >Sumit
> >>>
> >>> >From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001
> >>> >From: Sumit Bose <sbose at redhat.com>
> >>> >Date: Mon, 1 Jul 2013 13:47:22 +0200
> >>> >Subject: [PATCH] Add PAC to master host TGTs
> >>> >
> >>> >For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is
> >>> >needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
> >>> >of a trusted domain with the credentials of a FreeIPA server host a
> >>> >PAC must be added to the TGT for the host.
> >>> s/SALS/SASL/
> >>
> >>Thank you for the review, I've fixed the typo and added the numerical
> >>values for the well-known RIDs to the commit message.
> >>
> >>>
> >>>
> >>> >To determine if a host is a FreeIPA server or not it is checked if there
> >>> >is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
> >>> >this requires an additional LDAP lookup. But since TGS-REQs for hosts
> >>> >should be rare I think it is acceptable for the time being.
> >>> I think it is better to change this lookup to
> >>> "cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX", it would
> >>> explicitly limit us to the IPA masters running AD trusts.
> >>
> >>I'm not sure if this restriction is needed. With SSSD's ipa_server_mode
> >>any IPA master (which networkwise can access an AD server of the trusted
> >>domain) can read AD user and group data, no running smbd or winbind is
> >>required. So it would be possible to run the extdom plugin or the compat
> >>plugin for the legacy clients on any IPA server which would allow a much
> >>better load balancing.
> >>
> >>If there are other concerns I'm happy to add the restriction.
> >>
> >>bye,
> >>Sumit
> >
> >I don't think I know the code good enough to provide a full review, but
> >the patch enables the lookups from an IPA master without any additional
> >hacks. So ack on functionality at least.
> Ok.
> 
> I've extended this functionality to generate MS-PAC also for services
> running on IPA masters. Patch attached.
> 
> This is needed to finally get rid of access to trust auth material for
> IPA python code. HTTP/fqdn at REALM will now be able to authenticate
> against AD LDAP server and look up needed information directly, without
> elevating privileges to trust admins.
> 
> This should also help for AD range discovery Tomas is working on.
> 

Hi,

The patch looks good to me so I'm giving my +1. I would appreciate other
review too before a full ack, though.