[Freeipa-users] howto modify krb principal attributes without kadmin.local

Simo Sorce simo at redhat.com
Fri May 18 15:27:57 UTC 2012 

On Wed, 2012-05-16 at 15:08 -0700, Thomas Jackson wrote:
> 
> 
> On Tue, May 15, 2012 at 3:24 PM, Simo Sorce <simo at redhat.com> wrote:
>         On Tue, 2012-05-15 at 14:21 -0700, Thomas Jackson wrote:
>         > So going through the documentation it's clearly laid out not
>         to use
>         > kadmin or kadmin.local when using freeipa.  I have been
>         unable to find
>         > how to replace this functionality in the documentation.
>         >
>         > If I could use kadmin.local on my kdc I would like to run
>         the
>         > following command....
>         >
>         > modprinc +requires_hwauth user
>         >
>         > Am I going to need to extend/modify the krb5 schema to
>         modify
>         > principals attributes in this way?
>         >
>         
>         For this specific change you can use kadmin.local, but the IPA
>         UI will
>         not report you anything about it.
>         
>         The flags part is still a weak point of the Web UI, if you
>         want you can
>         open a RFE ticket to ask for better support for these flags,
>         we need to
>         do it at some point we simply haven't yet as we concentrated
>         on more
>         important and pressing issue this far.
>         
>         Simo.
>         
>         --
>         Simo Sorce * Red Hat, Inc * New York
>         
> 
> The following errors lead me to believe I am missing something as
> kadmin.local appears to have access issues when trying to modify a
> principle.
> 
> kadmin.local:  modprinc +requires_hwauth user
> modify_principal: User modification failed: Insufficient access while
> modifying "user".
> 
> For good measure I've modified /var/kerberos/krb5kdc/kadm5.
> acl with the correct ACLs for the domain and still encounter the same
> errors.
> 
> -ipa 2.1.3

Ok I took a second look at how to make it simple.

First of all I misremembered about the fact these flags were saved in
the krbExtraData field. They are not, there is a specific attribute for
all ticket flags that is called krbTicketFlags.

This attribute is normally not set on entries, as the defaults for the
realm are used, however the requires_hwauth flag is not a default and
you want to enable it only for user principals, not all principals on
the server.

That can be easily done by adding the krbTicketFlags attribute.
However in order to do this properly you need to calculate what value to
set based on this (partial) table:

KRB5_KDB_DISALLOW_POSTDATED	0x00000001
KRB5_KDB_DISALLOW_FORWARDABLE	0x00000002
KRB5_KDB_DISALLOW_TGT_BASED	0x00000004
KRB5_KDB_DISALLOW_RENEWABLE	0x00000008
KRB5_KDB_DISALLOW_PROXIABLE	0x00000010
KRB5_KDB_DISALLOW_DUP_SKEY	0x00000020
KRB5_KDB_DISALLOW_ALL_TIX	0x00000040
KRB5_KDB_REQUIRES_PRE_AUTH	0x00000080
KRB5_KDB_REQUIRES_HW_AUTH	0x00000100
KRB5_KDB_REQUIRES_PWCHANGE	0x00000200

The default flag for IPA user is KRB5_KDB_REQUIRES_PRE_AUTH, so in order
to properly set the flag you need to combine it with the flag you want
that is KRB5_KDB_REQUIRES_HW_AUTH.

So 0x0100 + 0x0080 = 0x0180

In decimal 0x0180 becomes 384

So you need to change the entry to set krbTicketFlags to 384

Now, normally I would tell you to do that using the following command:
ipa user-mod <username> --setattr=krbticketflags=384

However, we do restrict even admin from touching that attribute, so you
have 2 options:

1. change the default ACI to allow admin to edit that attribute.
2. do an ldapmodify operation instead using the Directory Manager
credentials.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list