[Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

Martin Kosek mkosek at redhat.com
Fri Mar 29 09:55:28 UTC 2013 

On 03/28/2013 04:56 PM, Jan Cholasta wrote:
> On 27.3.2013 14:51, Martin Kosek wrote:
>> This looks OK. Please just also add unit tests exercising this new feature.
>>
>> Thanks,
>> Martin
>>
> 
> Tests added.
> 
> I have also made some additional changes:
> 
>   * renamed the virtual attribute from ipakrbflagokasdelegate to
> ipakrbokasdelegate
>   * fixed internal error when krbticketflags has more than one value
>   * fixed updates overwriting krbticketflags instead of updating it
>   * allow krbticketflags to be overwritten when it has non-integer value
>   * do not hide krbticketflags in command output
> 
> Honza
> 

This looks much better, thanks for catching more errors and the unit test. I
have few more:

1) API minor number in VERSION file needs a bump

2) I did some functional testing and found strange behavior with services.
Adding our custom krbticketflags disables some flags ipa-kdb adds by default,
like REQUIRES_PRE_AUTH.

Example:

# ipa host-add foo.example.com --force
----------------------------
Added host "foo.example.com"
----------------------------
  Host name: foo.example.com
  Principal name: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
  Password: False
  Keytab: False
  Managed by: foo.example.com

# ipa-getkeytab -s `hostname` -p host/foo.example.com -k foo.keytab
Keytab successfully retrieved and stored in: foo.keytab

# kinit -kt foo.keytab host/foo.example.com

# kadmin.local -q "getprinc host/foo.example.com at IDM.LAB.BOS.REDHAT.COM"
...
Attributes: REQUIRES_PRE_AUTH
Policy: [none]


krb5kdc.log correctly shows that preauth is needed:

Mar 29 05:21:00 vm-037.idm.lab.bos.redhat.com krb5kdc[3977](info): AS_REQ (4
etypes {18 17 16 23}) 10.16.78.37: NEEDED_PREAUTH:
host/foo.example.com at IDM.LAB.BOS.REDHAT.COM for
krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM, Additional
pre-authentication required
Mar 29 05:21:00 vm-037.idm.lab.bos.redhat.com krb5kdc[3977](info): AS_REQ (4
etypes {18 17 16 23}) 10.16.78.37: ISSUE: authtime 1364548860, etypes {rep=18
tkt=18 ses=18}, host/foo.example.com at IDM.LAB.BOS.REDHAT.COM for
krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM


However, when I add OK_AS_DELEGATE, REQUIRES_PRE_AUTH vanishes:
# ipa host-mod foo.example.com --ok-as-delegate=1
-------------------------------
Modified host "foo.example.com"
-------------------------------
  Host name: foo.example.com
  Principal name: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
  Trusted for delegation: True
  Password: False
  Keytab: True
  Managed by: foo.example.com

# ipa service-mod HTTP/foo.example.com at IDM.LAB.BOS.REDHAT.COM --ok-as-delegate=1
--------------------------------------------------------------
Modified service "HTTP/foo.example.com at IDM.LAB.BOS.REDHAT.COM"
--------------------------------------------------------------
  Principal: HTTP/foo.example.com at IDM.LAB.BOS.REDHAT.COM
  Trusted for delegation: True
  Managed by: foo.example.com

# kadmin.local -q "getprinc host/foo.example.com at IDM.LAB.BOS.REDHAT.COM"
...
Attributes: OK_AS_DELEGATE
Policy: [none]


Is this intentional?

Shouldn't "ipa host-add $HOST" or "ipa service-add $SERVICE" always set
"krbticketflags" with this flag (0x00000080) on instead of adding it silently
in ipa-kdb? (adding Simo to CC to help us with that).

If no, shouldn't we at least add means to set this flag in host-mod or
service-mod so that admins can set it? I.e. option like --requires-pre-auth=1

Martin

More information about the Freeipa-devel mailing list