[Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins
Martin Kosek
mkosek at redhat.com
Fri Mar 29 09:55:28 UTC 2013
On 03/28/2013 04:56 PM, Jan Cholasta wrote:
> On 27.3.2013 14:51, Martin Kosek wrote:
>> This looks OK. Please just also add unit tests exercising this new feature.
>>
>> Thanks,
>> Martin
>>
>
> Tests added.
>
> I have also made some additional changes:
>
> * renamed the virtual attribute from ipakrbflagokasdelegate to
> ipakrbokasdelegate
> * fixed internal error when krbticketflags has more than one value
> * fixed updates overwriting krbticketflags instead of updating it
> * allow krbticketflags to be overwritten when it has non-integer value
> * do not hide krbticketflags in command output
>
> Honza
>
This looks much better, thanks for catching more errors and the unit test. I
have few more:
1) API minor number in VERSION file needs a bump
2) I did some functional testing and found strange behavior with services.
Adding our custom krbticketflags disables some flags ipa-kdb adds by default,
like REQUIRES_PRE_AUTH.
Example:
# ipa host-add foo.example.com --force
----------------------------
Added host "foo.example.com"
----------------------------
Host name: foo.example.com
Principal name: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
Password: False
Keytab: False
Managed by: foo.example.com
# ipa-getkeytab -s `hostname` -p host/foo.example.com -k foo.keytab
Keytab successfully retrieved and stored in: foo.keytab
# kinit -kt foo.keytab host/foo.example.com
# kadmin.local -q "getprinc host/foo.example.com at IDM.LAB.BOS.REDHAT.COM"
...
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
krb5kdc.log correctly shows that preauth is needed:
Mar 29 05:21:00 vm-037.idm.lab.bos.redhat.com krb5kdc[3977](info): AS_REQ (4
etypes {18 17 16 23}) 10.16.78.37: NEEDED_PREAUTH:
host/foo.example.com at IDM.LAB.BOS.REDHAT.COM for
krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM, Additional
pre-authentication required
Mar 29 05:21:00 vm-037.idm.lab.bos.redhat.com krb5kdc[3977](info): AS_REQ (4
etypes {18 17 16 23}) 10.16.78.37: ISSUE: authtime 1364548860, etypes {rep=18
tkt=18 ses=18}, host/foo.example.com at IDM.LAB.BOS.REDHAT.COM for
krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM
However, when I add OK_AS_DELEGATE, REQUIRES_PRE_AUTH vanishes:
# ipa host-mod foo.example.com --ok-as-delegate=1
-------------------------------
Modified host "foo.example.com"
-------------------------------
Host name: foo.example.com
Principal name: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
Trusted for delegation: True
Password: False
Keytab: True
Managed by: foo.example.com
# ipa service-mod HTTP/foo.example.com at IDM.LAB.BOS.REDHAT.COM --ok-as-delegate=1
--------------------------------------------------------------
Modified service "HTTP/foo.example.com at IDM.LAB.BOS.REDHAT.COM"
--------------------------------------------------------------
Principal: HTTP/foo.example.com at IDM.LAB.BOS.REDHAT.COM
Trusted for delegation: True
Managed by: foo.example.com
# kadmin.local -q "getprinc host/foo.example.com at IDM.LAB.BOS.REDHAT.COM"
...
Attributes: OK_AS_DELEGATE
Policy: [none]
Is this intentional?
Shouldn't "ipa host-add $HOST" or "ipa service-add $SERVICE" always set
"krbticketflags" with this flag (0x00000080) on instead of adding it silently
in ipa-kdb? (adding Simo to CC to help us with that).
If no, shouldn't we at least add means to set this flag in host-mod or
service-mod so that admins can set it? I.e. option like --requires-pre-auth=1
Martin
More information about the Freeipa-devel
mailing list