[Freeipa-devel] [PATCH] #3859: Better mechanism to retrieve keytabs
Simo Sorce
simo at redhat.com
Fri Jun 13 18:10:25 UTC 2014
On Fri, 2014-06-13 at 14:04 -0400, Simo Sorce wrote:
> On Fri, 2014-06-13 at 12:54 -0400, Rob Crittenden wrote:
> > Simo Sorce wrote:
> > > On Wed, 2014-06-11 at 17:03 -0400, Rob Crittenden wrote:
> > >> 0001
> > >>
> > >> When is_allowed_to_access_attr() fails it should include the value of
> > >> access in the error log for debugging.
> > >
> > > Ok added more detailed logging
> > >
> > >> Nit: Coluld not fetch REALM backend
> > >
> > > Fixed
> > >
> > >> There are still a ton of "ber_scanf failed" duplicated fatal errors. I'm
> > >> fine keeping a common err_msg but the fatal error should be unique.
> > >
> > > Yeah thanks to this comment, I had a small change of heart.
> > > Instead of sending such detailed information to clients I reverted to
> > > send a little less information to the clients and instead LOG_FATAL in a
> > > more detailed way. HTH
> > >
> > >> This breaks normal host delegation. If you add a host to another host's
> > >> managedby, getting the keytab will fail. This is due to:
> > >>
> > >> [11/Jun/2014:16:56:45 -0400] NSACLPlugin - conn=4 op=3 (main): Deny
> > >> write on
> > >> entry(fqdn=client2.example.com,cn=computers,cn=accounts,dc=example,dc=com).attr(ipaProtectedOperation;write_keys)
> > >> to fqdn=client1.example.com,cn=computers,cn=accounts,dc=example,dc=com:
> > >> no aci matched the subject by aci(97): aciname= "Groups allowed to
> > >> create keytab keys", acidn="cn=accounts,dc=example,dc=com"
> > >
> > > Ok this should be working now, I added a new ACI to allow also
> > > managedby#USERDN to operate on keytabs.
> > >
> > > New patches attached.
> >
> > Functionally these seem to work ok. I think there should be some
> > documented way to enable the -r in ipa-getkeytab. Right now I'm not even
> > entirely sure how one would add a permission to do so.
> >
> > rob
> >
>
> ATM the only way is to add the ipaAllowedOperations objectclass to the
> object you want to allow retrieving a keyt from and the
> ipaAllowedToPerform;reasd_key attribute
>
> Example:
> dn: test/foo.example.com at EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com
> changetype: modify
> add: objectclass
> objectclass: ipaAllowedOperations
> -
> add: ipaAllowedToPerform;read_key
> ipaAllowedToPerform;reasd_key: uid=cluster-admin,cn=users,cn=accounts,dc=example,dc=com
>
> Once you do this the user called cluster-admin will be allowed to
> retrieve the keytab w/o changing it.
>
> Of course you can list there a group or another host/service DN.
Doh, I realized we haven't created a feature page for this, I am going
to create one now, so that the UI work we'll need in future can look it
up and information like the above is registered.
Will be available here:
http://www.freeipa.org/page/V4/Keytab_Retrieval
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list