[Freeipa-devel] [WIP][PATCH] 120 Add Kerberos ticket flags management to service and host plugins

Martin Kosek mkosek at redhat.com
Fri Mar 29 11:46:14 UTC 2013 

On 03/29/2013 11:28 AM, Jan Cholasta wrote:
> On 29.3.2013 10:55, Martin Kosek wrote:
>> This looks much better, thanks for catching more errors and the unit test. I
>> have few more:
>>
>> 1) API minor number in VERSION file needs a bump
> 
> Whoops, fixed.
> 
>>
>> 2) I did some functional testing and found strange behavior with services.
>> Adding our custom krbticketflags disables some flags ipa-kdb adds by default,
>> like REQUIRES_PRE_AUTH.
>>
>> Example:
>>
>> # ipa host-add foo.example.com --force
>> ----------------------------
>> Added host "foo.example.com"
>> ----------------------------
>>    Host name: foo.example.com
>>    Principal name: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
>>    Password: False
>>    Keytab: False
>>    Managed by: foo.example.com
>>
>> # ipa-getkeytab -s `hostname` -p host/foo.example.com -k foo.keytab
>> Keytab successfully retrieved and stored in: foo.keytab
>>
>> # kinit -kt foo.keytab host/foo.example.com
>>
>> # kadmin.local -q "getprinc host/foo.example.com at IDM.LAB.BOS.REDHAT.COM"
>> ...
>> Attributes: REQUIRES_PRE_AUTH
>> Policy: [none]
>>
>>
>> krb5kdc.log correctly shows that preauth is needed:
>>
>> Mar 29 05:21:00 vm-037.idm.lab.bos.redhat.com krb5kdc[3977](info): AS_REQ (4
>> etypes {18 17 16 23}) 10.16.78.37: NEEDED_PREAUTH:
>> host/foo.example.com at IDM.LAB.BOS.REDHAT.COM for
>> krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM, Additional
>> pre-authentication required
>> Mar 29 05:21:00 vm-037.idm.lab.bos.redhat.com krb5kdc[3977](info): AS_REQ (4
>> etypes {18 17 16 23}) 10.16.78.37: ISSUE: authtime 1364548860, etypes {rep=18
>> tkt=18 ses=18}, host/foo.example.com at IDM.LAB.BOS.REDHAT.COM for
>> krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM
>>
>>
>> However, when I add OK_AS_DELEGATE, REQUIRES_PRE_AUTH vanishes:
>> # ipa host-mod foo.example.com --ok-as-delegate=1
>> -------------------------------
>> Modified host "foo.example.com"
>> -------------------------------
>>    Host name: foo.example.com
>>    Principal name: host/foo.example.com at IDM.LAB.BOS.REDHAT.COM
>>    Trusted for delegation: True
>>    Password: False
>>    Keytab: True
>>    Managed by: foo.example.com
>>
>> # ipa service-mod HTTP/foo.example.com at IDM.LAB.BOS.REDHAT.COM --ok-as-delegate=1
>> --------------------------------------------------------------
>> Modified service "HTTP/foo.example.com at IDM.LAB.BOS.REDHAT.COM"
>> --------------------------------------------------------------
>>    Principal: HTTP/foo.example.com at IDM.LAB.BOS.REDHAT.COM
>>    Trusted for delegation: True
>>    Managed by: foo.example.com
>>
>> # kadmin.local -q "getprinc host/foo.example.com at IDM.LAB.BOS.REDHAT.COM"
>> ...
>> Attributes: OK_AS_DELEGATE
>> Policy: [none]
>>
>>
>> Is this intentional?
>>
>> Shouldn't "ipa host-add $HOST" or "ipa service-add $SERVICE" always set
>> "krbticketflags" with this flag (0x00000080) on instead of adding it silently
>> in ipa-kdb? (adding Simo to CC to help us with that).
>>
>> If no, shouldn't we at least add means to set this flag in host-mod or
>> service-mod so that admins can set it? I.e. option like --requires-pre-auth=1
> 
> I assumed the default value is 0. I changed it to 0x00000080.
> 
> Updated patch attached.
> 
> Honza
> 

1) This causes an error in the test suite:

======================================================================
FAIL: test_service[23]: service_mod: Enable
u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' OK_AS_DELEGATE
Kerberos ticket flag
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
    self.test(*self.arg)
  File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 267, in
<lambda>
    func = lambda: self.check(nice, **test)
  File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 285, in check
    self.check_output(nice, cmd, args, options, expected, extra_check)
  File "/root/freeipa-master/tests/test_xmlrpc/xmlrpc_test.py", line 323, in
check_output
    assert_deepequal(expected, got, nice)
  File "/root/freeipa-master/tests/util.py", line 335, in assert_deepequal
    assert_deepequal(e_sub, g_sub, doc, stack + (key,))
  File "/root/freeipa-master/tests/util.py", line 335, in assert_deepequal
    assert_deepequal(e_sub, g_sub, doc, stack + (key,))
  File "/root/freeipa-master/tests/util.py", line 323, in assert_deepequal
    assert_deepequal(e_sub, g_sub, doc, stack + (i,))
  File "/root/freeipa-master/tests/util.py", line 343, in assert_deepequal
    VALUE % (doc, expected, got, stack)
AssertionError: assert_deepequal: expected != got.
  test_service[23]: service_mod: Enable
u'HTTP/testhost1.idm.lab.bos.redhat.com at IDM.LAB.BOS.REDHAT.COM' OK_AS_DELEGATE
Kerberos ticket flag
  expected = u'1048576'
  got = u'1048704'
  path = ('result', 'krbticketflags', 0)

----------------------------------------------------------------------

2) Since we add REQUIRES_PRE_AUTH flag by default, shouldn't we then also add
--requires-pre-auth flag as I wrote above so that admin can get rid of this
flag if he chooses to?

Martin

More information about the Freeipa-devel mailing list