Bug 1132540
| Summary: | [RFE] Expose service delegation rules CLI | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> |
| Component: | ipa | Assignee: | Martin Kosek <mkosek> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | jcholast, mkosek, nkinder, rcritten, spoore |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.2.0-0.1.alpha1.el7 | Doc Type: | Enhancement |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 12:00:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1181710 | ||
|
Description
Martin Kosek
2014-08-21 14:15:06 UTC
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/a92328452dced34d6d6df7ad6fe585563bb909f6 Is this just a bug tracking the addition of the servicedelegation feature? From a verification perspective I think we need to test that feature right? Can someone confirm this is the intended feature? http://www.freeipa.org/page/V4/Service_Constraint_Delegation Thanks, Scott Trying to go through the example here: http://www.freeipa.org/page/V4/Service_Constraint_Delegation#How_to_Test I'm having a problem with the kadmin.local modprinc command: kadmin.local: modprinc +ok_to_auth_as_delegate test/master.testrelm.test modify_principal: Database record is incomplete or corrupted while getting "test/master.testrelm.test". Is there another way to test this? Hi Scott, I think $ ipa service-mod test/ipa.example.com --ok-as-delegate=1 should work instead of kadmin.local. I misread the flag name - to set the ok_to_auth_as_delegate flag (not the ok_as_delegate flag), you need to run: $ ipa service-mod test/master.testrelm.test --setattr krbticketflags=2097280 Verified. Version :: ipa-server-4.2.0-11.el7.x86_64 Results :: ################ First show this fail because delegation not allowed ######### [root@master ~]# echo Secret123|kinit admin Password for admin: [root@master ~]# ipa service-add test/$(hostname) --force ------------------------------------------------------- Added service "test/master.testrelm.test" ------------------------------------------------------- Principal: test/master.testrelm.test Managed by: master.testrelm.test [root@master ~]# ipa service-mod test/$(hostname) --setattr krbticketflags=2097280 ---------------------------------------------------------- Modified service "test/master.testrelm.test" ---------------------------------------------------------- Principal: test/master.testrelm.test Managed by: master.testrelm.test [root@master ~]# ipa service-add test2/$(hostname) --force -------------------------------------------------------- Added service "test2/master.testrelm.test" -------------------------------------------------------- Principal: test2/master.testrelm.test Managed by: master.testrelm.test [root@master ~]# ipa-getkeytab -s master.testrelm.test -k /tmp/test.keytab -p test/$(hostname) Keytab successfully retrieved and stored in: /tmp/test.keytab [root@master ~]# ipa-getkeytab -s master.testrelm.test -k /tmp/test2.keytab -p test2/$(hostname) Keytab successfully retrieved and stored in: /tmp/test2.keytab [root@master ~]# kdestroy -A [root@master ~]# kinit -kt /tmp/test.keytab test/$(hostname) [root@master ~]# kvno -k /tmp/test.keytab -U admin -P test/$(hostname) test2/$(hostname) test/master.testrelm.test: kvno = 2, keytab entry valid test2/master.testrelm.test: kvno = 2, keytab entry valid kvno: KDC returned error string: NOT_ALLOWED_TO_DELEGATE test2/master.testrelm.test: constrained delegation failed ############# Now showing servicedelegation allowing this to work ############# [root@master ~]# kdestroy -A [root@master ~]# kinit admin Password for admin: [root@master ~]# ipa servicedelegationrule-add test ------------------------------------ Added service delegation rule "test" ------------------------------------ Delegation name: test [root@master ~]# ipa servicedelegationtarget-add target-test --------------------------------------------- Added service delegation target "target-test" --------------------------------------------- Delegation name: target-test [root@master ~]# ipa servicedelegationrule-add-target --servicedelegationtargets=target-test test Delegation name: test Allowed Target: target-test ------------------------- Number of members added 1 ------------------------- [root@master ~]# ipa servicedelegationrule-add-member --principals test/$(hostname) test Delegation name: test Allowed Target: target-test Member principals: test/master.testrelm.test ------------------------- Number of members added 1 ------------------------- [root@master ~]# ipa servicedelegationtarget-add-member --principals=test2/$(hostname) target-test Delegation name: target-test Member principals: test2/master.testrelm.test ------------------------- Number of members added 1 ------------------------- [root@master ~]# kdestroy -A [root@master ~]# kinit -kt /tmp/test.keytab test/$(hostname) [root@master ~]# kvno -k /tmp/test.keytab -U admin -P test/$(hostname) test2/$(hostname) test/master.testrelm.test: kvno = 2, keytab entry valid test2/master.testrelm.test: kvno = 2, keytab entry valid ##################################################################### [root@master ~]# kdestroy -A [root@master ~]# kinit admin Password for admin: [root@master ~]# ipa servicedelegationrule-find ---------------------------------- 2 service delegation rules matched ---------------------------------- Delegation name: ipa-http-delegation Allowed Target: ipa-ldap-delegation-targets, ipa-cifs-delegation-targets Member principals: HTTP/master.testrelm.test Delegation name: test Allowed Target: target-test Member principals: test/master.testrelm.test ---------------------------- Number of entries returned 2 ---------------------------- [root@master ~]# ipa servicedelegationtarget-find ------------------------------------ 3 service delegation targets matched ------------------------------------ Delegation name: ipa-cifs-delegation-targets Delegation name: ipa-ldap-delegation-targets Member principals: ldap/master.testrelm.test Delegation name: target-test Member principals: test2/master.testrelm.test ---------------------------- Number of entries returned 3 ---------------------------- [root@master ~]# ipa servicedelegationtarget-del target-test ----------------------------------------------- Deleted service delegation target "target-test" ----------------------------------------------- [root@master ~]# kdestroy -A [root@master ~]# kinit -kt /tmp/test.keytab test/$(hostname) [root@master ~]# kvno -k /tmp/test.keytab -U admin -P test/$(hostname) test2/$(hostname) test/master.testrelm.test: kvno = 2, keytab entry valid test2/master.testrelm.test: kvno = 2, keytab entry valid kvno: KDC returned error string: NOT_ALLOWED_TO_DELEGATE test2/master.testrelm.test: constrained delegation failed Ok, Also, this is only for CLI. It's my understanding that the UI part of this will be handled separately via: https://fedorahosted.org/freeipa/ticket/5044 As such, can we change the summary/name of this bug to reflect only CLI and not UI work to be done? Thanks, Scott This is correct, good catch. I updated the summary of the bug. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html |