[Freeipa-devel] [PATCH] #3859: Better mechanism to retrieve keytabs

Tue Jun 17 19:30:20 UTC 2014

Simo Sorce wrote:
> On Mon, 2014-06-16 at 09:53 +0200, Petr Viktorin wrote:
>> On 06/13/2014 10:20 PM, Simo Sorce wrote:
>> [...]
>>> 2) and I think this is a MUCH bigger issue, the Admin users are
>>> unbounded and pass any Access Control Check and this means they can now
>>> retrieve any key for users or machines.
>>> It is already bad enough that admins can unconditionally set any key,
>>> but this at least leaves back a pretty big trail (the original client
>>> password/key fails to work), and is a necessary evil (password resets,
>>> hosts creation/recovery).
>>> But I am not very comfortable with the idea an admin can retrieve any
>>> key without actually ending up changing it. Petr do we have any short
>>> term plan to address the Admin's super ACI ?
>>
>> No, nothing in the short term.
> 
> Ok, then I think attached is the patch 0003 we want.
> This changes admins superpowers to not allow ipaProtectedOperation by
> default and instead adds a specific right in cn=accounts so admin can
> keep fetching keytabs for any principal. We may want to turn this into a
> permission with a future patch.

Upgrade in F-20 fails:

Upgrade failed with ACL Syntax
Error(-5):(targetattr=\22ipaProtectedOperation;write_keys\22)(version
3.0; acl \22Admins are allowed to rekey any entity\22; allow(write)
groupdn = \22ldap:///cn=admins: Invalid syntax.
IPA upgrade failed.

You also have $SUFFIX hardcoded as dc=ipa,dc=dev,dc=lan here and in
default-aci.ldif . I think the fix is to quote the whole thing like:

-add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0;
acl "Admins are allowed to rekey any entity"; allow(write) groupdn =
"ldap:///cn=admins,cn=groups,cn=accounts,dc=ipa,dc=dev,dc=lan";)
+add:aci: '(targetattr="ipaProtectedOperation;write_keys")(version 3.0;
acl "Admins are allowed to rekey any entity"; allow(write) groupdn =
"ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)'

I don't know if this is your issue or not, but after fixing that the
upgrade still fails with:

Upgrade failed with unknown object class "ipaVirtualOperation":

2014-06-17T19:17:20Z DEBUG Final value after applying updates
2014-06-17T19:17:20Z DEBUG dn: cn=request certificate,cn=virtual
operations,cn=etc,dc=greyoak,dc=com
2014-06-17T19:17:20Z DEBUG objectClass:
2014-06-17T19:17:20Z DEBUG      nsContainer
2014-06-17T19:17:20Z DEBUG      top
2014-06-17T19:17:20Z DEBUG      ipaVirtualOperation
2014-06-17T19:17:20Z DEBUG cn:
2014-06-17T19:17:20Z DEBUG      request certificate
2014-06-17T19:17:20Z DEBUG [(0, u'objectClass', ['ipaVirtualOperation'])]
2014-06-17T19:17:20Z DEBUG Live 1, updated 1
2014-06-17T19:17:20Z ERROR Upgrade failed with unknown object class
"ipaVirtualOperation"

On update the global admin ACI is not changed to add
ipaProtectedOperation to the list of protected attributes.

rob