[Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins
Jan Cholasta
jcholast at redhat.com
Fri Mar 29 10:28:12 UTC 2013
On 29.3.2013 10:55, Martin Kosek wrote:
> This looks much better, thanks for catching more errors and the unit test. I
> have few more:
>
> 1) API minor number in VERSION file needs a bump
Whoops, fixed.
>
> 2) I did some functional testing and found strange behavior with services.
> Adding our custom krbticketflags disables some flags ipa-kdb adds by default,
> like REQUIRES_PRE_AUTH.
>
> Example:
>
> # ipa host-add foo.example.com --force
> ----------------------------
> Added host "foo.example.com"
> ----------------------------
> Host name: foo.example.com
> Principal name: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
> Password: False
> Keytab: False
> Managed by: foo.example.com
>
> # ipa-getkeytab -s `hostname` -p host/foo.example.com -k foo.keytab
> Keytab successfully retrieved and stored in: foo.keytab
>
> # kinit -kt foo.keytab host/foo.example.com
>
> # kadmin.local -q "getprinc host/foo.example.com at IDM.LAB.BOS.REDHAT.COM"
> ...
> Attributes: REQUIRES_PRE_AUTH
> Policy: [none]
>
>
> krb5kdc.log correctly shows that preauth is needed:
>
> Mar 29 05:21:00 vm-037.idm.lab.bos.redhat.com krb5kdc[3977](info): AS_REQ (4
> etypes {18 17 16 23}) 10.16.78.37: NEEDED_PREAUTH:
> host/foo.example.com at IDM.LAB.BOS.REDHAT.COM for
> krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM, Additional
> pre-authentication required
> Mar 29 05:21:00 vm-037.idm.lab.bos.redhat.com krb5kdc[3977](info): AS_REQ (4
> etypes {18 17 16 23}) 10.16.78.37: ISSUE: authtime 1364548860, etypes {rep=18
> tkt=18 ses=18}, host/foo.example.com at IDM.LAB.BOS.REDHAT.COM for
> krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM
>
>
> However, when I add OK_AS_DELEGATE, REQUIRES_PRE_AUTH vanishes:
> # ipa host-mod foo.example.com --ok-as-delegate=1
> -------------------------------
> Modified host "foo.example.com"
> -------------------------------
> Host name: foo.example.com
> Principal name: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
> Trusted for delegation: True
> Password: False
> Keytab: True
> Managed by: foo.example.com
>
> # ipa service-mod HTTP/foo.example.com at IDM.LAB.BOS.REDHAT.COM --ok-as-delegate=1
> --------------------------------------------------------------
> Modified service "HTTP/foo.example.com at IDM.LAB.BOS.REDHAT.COM"
> --------------------------------------------------------------
> Principal: HTTP/foo.example.com at IDM.LAB.BOS.REDHAT.COM
> Trusted for delegation: True
> Managed by: foo.example.com
>
> # kadmin.local -q "getprinc host/foo.example.com at IDM.LAB.BOS.REDHAT.COM"
> ...
> Attributes: OK_AS_DELEGATE
> Policy: [none]
>
>
> Is this intentional?
>
> Shouldn't "ipa host-add $HOST" or "ipa service-add $SERVICE" always set
> "krbticketflags" with this flag (0x00000080) on instead of adding it silently
> in ipa-kdb? (adding Simo to CC to help us with that).
>
> If no, shouldn't we at least add means to set this flag in host-mod or
> service-mod so that admins can set it? I.e. option like --requires-pre-auth=1
I assumed the default value is 0. I changed it to 0x00000080.
Updated patch attached.
Honza
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-120.3-Add-Kerberos-ticket-flags-management-to-service-and-.patch
Type: text/x-patch
Size: 27708 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130329/49082845/attachment.bin>
More information about the Freeipa-devel
mailing list