768164 – [RFE] Use Services4User to replace ticket forwarding/delegation

Bug 768164 - [RFE] Use Services4User to replace ticket forwarding/delegation

Summary: [RFE] Use Services4User to replace ticket forwarding/delegation

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:	767741
Blocks:	736854
TreeView+	depends on / blocked

Reported:	2011-12-15 22:08 UTC by Dmitri Pal
Modified:	2012-06-20 13:28 UTC (History)
CC List:	2 users (show)
Fixed In Version:	ipa-2.2.0-1.el6
Doc Type:	Enhancement
Doc Text:	No documentation needed.
Clone Of:
Environment:
Last Closed:	2012-06-20 13:28:21 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0819	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2012-06-19 20:34:17 UTC

Description Dmitri Pal 2011-12-15 22:08:42 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/1098

Using this we would be able to run of globally forwardable tickets.

http://k5wiki.kerberos.org/wiki/Projects/Services4User

Comment 1 Jenny Severance 2011-12-19 15:06:57 UTC

Please add steps to verify this issue ..

Configure KDC to not forward/delegate tickets and verify you can still administer IPA from a client??  Need steps to do that ...

Comment 2 Rob Crittenden 2012-01-03 15:16:10 UTC

No, ticket delegation still needs to be enabled, we just no longer forward the TGT.

From a client you can use the -vv flag:

# ipa -vv user-show admin

You'll notice that the WWW-Authenticate header value is significantly smaller with S4U2proxy (because it doesn't include the TGT).

/var/log/krb5kdc.log will also include information that the request is being proxied.

Something like:

Dec 07 15:40:26 rawhide.example.com krb5kdc[21945](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.166.20: ISSUE: authtime 1323290316, etypes {rep=18 tkt=18 ses=18}, HTTP/rawhide.example.com for ldap/rawhide.example.com
Dec 07 15:40:26 rawhide.example.com krb5kdc[21945](info): ... CONSTRAINED-DELEGATION s4u-client=admin

This means that the HTTP service requested an ldap service ticket on behalf of admin

Otherwise the behavior from the client will remain exactly the same.

Comment 3 Rob Crittenden 2012-01-11 20:55:28 UTC

Fixed upstream.

master: c08296adff58517934b3ea3e4a6581b55fbc2d0c

ipa-2-2: 4f5fe04be87dc117588a8e3b004cd6078844e537

Required mod_auth_kerb support in BZ 767741

Comment 5 Martin Kosek 2012-02-15 16:14:02 UTC

Relevant fixes upstream:

master: https://fedorahosted.org/freeipa/changeset/2da6d6e7460b932f406b7f0632320433f9f98a85
ipa-2-2: https://fedorahosted.org/freeipa/changeset/abd3ae2a82c5e6e5e9a26038ba532494068c0ffa

Comment 6 Rob Crittenden 2012-03-21 03:09:27 UTC

Here is additional information for testers.

This is by design transparent for users. They don't need to do anything special for this to work but we no longer require the TGT be forwarded to work (the ticket still needs to be forwardable).

You can verify that the ticket isn't sent by comparing the headers of 'ipa -vv user-show admin' and 'ipa -vv --delegate user-show admin'. The later will have a significantly bigger WWW-Authenticate header because it includes a full TGT.

On the KDC you'll notice in the s4u2proxy case a line indicating delegation:

Mar 20 23:03:47 rawhide.example.com krb5kdc[31291](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.166.20: ISSUE: authtime 1332294969, etypes {rep=18 tkt=18 ses=18}, HTTP/rawhide.example.com for ldap/rawhide.example.com
Mar 20 23:03:47 rawhide.example.com krb5kdc[31291](info): ... CONSTRAINED-DELEGATION s4u-client=admin

And when doing full delegation:

Mar 20 23:03:35 rawhide.example.com krb5kdc[31291](info): TGS_REQ (1 etypes {18}) 192.168.166.20: ISSUE: authtime 1332294969, etypes {rep=18 tkt=18 ses=18}, admin for krbtgt/EXAMPLE.COM
Mar 20 23:03:35 rawhide.example.com krb5kdc[31291](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.166.20: ISSUE: authtime 1332294969, etypes {rep=18 tkt=18 ses=18}, admin for ldap/rawhide.example.com

The UI will work similarly, the key being whether delegation-uris is set in the browser config.

We are delegating to the web server permission to only get an ldap service ticket on behalf of the user. If you want to tweak the delegation rules see the entries

dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX

and

dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX

The first entry says that the HTTP principal can delegate tickets to those principals in the second entry.

So for example, if you remove the ldap server from the second entry then IPA should refuse to work.

The way this works within Apache is it uses its own service principal to authenticate obtain a ticket on behalf of the user. If you set LogLevel debug in /etc/httpd/conf.d/nss.conf and restart httpd then you'll see quite a bit of logging when a request is made.

Apache will create a ccache to use in /tmp/krb5cc_<uid_of_apache>. You can remove this file at any time while Apache is up or down and it should be re-created on the next request. It should also be automatically re-created when the ticket expires (I tested this by setting a short ticket policy with krbtpolicy).

Comment 8 Martin Kosek 2012-04-19 19:29:24 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.

Comment 9 Jenny Severance 2012-05-07 13:29:31 UTC

verified ::

# ipa -vv user-show admin
ipa: INFO: trying https://dhcp-186-52.testrelm.com/ipa/xml
ipa: INFO: Forwarding 'user_show' to server u'http://dhcp-186-52.testrelm.com/ipa/xml'
send: u'POST /ipa/xml HTTP/1.0\r\nHost: dhcp-186-52.testrelm.com\r\nAccept-Language: en-us\r\nReferer: https://dhcp-186-52.testrelm.com/ipa/xml\r\nAuthorization: negotiate YIICXwYJKoZIhvcSAQICAQBuggJOMIICSqADAgEFoQMCAQ6iBwMFACAAAACjggFiYYIBXjCCAVqgAwIBBaEOGwxURVNUUkVMTS5DT02iKzApoAMCAQOhIjAgGwRIVFRQGxhkaGNwLTE4Ni01Mi50ZXN0cmVsbS5jb22jggEUMIIBEKADAgESoQMCAQKiggECBIH/Gst9pLI9CDQnrtUelB8DfCVff//rJXsKrr0m1BCHOyiKFJs+VoySeKt3kbL3EeQjV06OenYuWu+/y+RNGF8/LCFQScaH3ArMXpmpxdiVR7IDnL8psxX8wliQxjgqiDh+FmZdDIJHwCNIKmtjcriFP6az/uf4lxtHyJOpokab2m4ukmZKOjoy1YbYKPzBW45G6kXwdI+G3L2nuN/vSLMIRCkBxRB5Ybtg8R1a3LPzWZ+G2HAbROtSjE5iEbPSRM1AzCMy+q2m6PWsoksez6vmJn7WbzKV4jjBJFSo9kwiHBnSVx4qGJ62s0FeAEyktDCLNqDCh/wqvCXTEEYXpEBhpIHOMIHLoAMCARKigcMEgcCnMThGZuzhXwNZXw3pQXxfsZIGr8r9147WRBvR5wjqswjeKE3zgP0gwyZbys4j0bzVJJPu7ddkIRZNhEroqv/qdWQk0ABjXW7EyS8QVdN3Gz1jh9dKd/zc1FXSGe2eFfXAkdo46Yx0HhjnRxKdqWU0MjzoUP2tU0TWR4D5ah2P/qYeJC5XmoWb9m47ddLps+CFF5IwxksPEqpbqDhyre61olfO76sV549VsW3Py4W/Cb5THsSyOTWg9EuVAVjaBIU=\r\nUser-Agent: xmlrpclib.py/1.0.1 (by www.pythonware.com)\r\nContent-Type: text/xml\r\nContent-Length: 567\r\n\r\n'
send: "<?xml version='1.0' encoding='UTF-8'?>\n<methodCall>\n<methodName>user_show</methodName>\n<params>\n<param>\n<value><array><data>\n<value><string>admin</string></value>\n</data></array></value>\n</param>\n<param>\n<value><struct>\n<member>\n<name>raw</name>\n<value><boolean>0</boolean></value>\n</member>\n<member>\n<name>all</name>\n<value><boolean>0</boolean></value>\n</member>\n<member>\n<name>version</name>\n<value><string>2.34</string></value>\n</member>\n<member>\n<name>rights</name>\n<value><boolean>0</boolean></value>\n</member>\n</struct></value>\n</param>\n</params>\n</methodCall>\n"
reply: 'HTTP/1.1 200 Success\r\n'
header: Date: Mon, 07 May 2012 13:20:08 GMT
header: Server: Apache/2.2.15 (Red Hat)
header: WWW-Authenticate: Negotiate YIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuZdxEgfrMi4Rxq70myMqcepB1p8bQK54PorfE5CuGteUmxZa4wUDxJJ0kLJrVgyAezovM82tXyxoD8eK2OKwZQqWggN1gP+MS43ltT659cl56YCIWfBJrV17m5WaN0Tsb1QmHlohFHh+NonCdcFk=
header: Connection: close
header: Content-Type: text/xml; charset=utf-8
body: "<?xml version='1.0' encoding='UTF-8'?>\n<methodResponse>\n<params>\n<param>\n<value><struct>\n<member>\n<name>result</name>\n<value><struct>\n<member>\n<name>dn</name>\n<value><string>uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com</string></value>\n</member>\n<member>\n<name>has_keytab</name>\n<value><boolean>1</boolean></value>\n</member>\n<member>\n<name>uid</name>\n<value><array><data>\n<value><string>admin</string></value>\n</data></array></value>\n</member>\n<member>\n<name>loginshell</name>\n<value><array><data>\n<value><string>/bin/bash</string></value>\n</data></array></value>\n</member>\n<member>\n<name>uidnumber</name>\n<value><array><data>\n<value><string>1109600000</string></value>\n</data></array></value>\n</member>\n<member>\n<name>gidnumber</name>\n<value><array><data>\n<value><string>1109600000</string></value>\n</data></array></value>\n</member>\n<member>\n<name>memberof_group</name>\n<value><array><data>\n<value><string>admins</string></value>\n</data></array></value>\n</member>\n<member>\n<name>has_password</name>\n<value><boolean>1</"
body: 'boolean></value>\n</member>\n<member>\n<name>sn</name>\n<value><array><data>\n<value><string>Administrator</string></value>\n</data></array></value>\n</member>\n<member>\n<name>homedirectory</name>\n<value><array><data>\n<value><string>/home/admin</string></value>\n</data></array></value>\n</member>\n<member>\n<name>nsaccountlock</name>\n<value><boolean>0</boolean></value>\n</member>\n</struct></value>\n</member>\n<member>\n<name>value</name>\n<value><string>admin</string></value>\n</member>\n<member>\n<name>summary</name>\n<value><nil/></value></member>\n</struct></value>\n</param>\n</params>\n</methodResponse>\n'
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1109600000
  GID: 1109600000
  Account disabled: False
  Password: True
  Member of groups: admins
  Kerberos keys available: True


May 07 09:20:07 dhcp-186-52.testrelm.com krb5kdc[15708](info): TGS_REQ (4 etypes {18 17 16 23}) 10.16.186.52: ISSUE: authtime 1336396796, etypes {rep=18 tkt=18 ses=18}, admin for HTTP/dhcp-186-52.testrelm.com
May 07 09:20:08 dhcp-186-52.testrelm.com krb5kdc[15708](info): AS_REQ (4 etypes {18 17 16 23}) 10.16.186.52: NEEDED_PREAUTH: HTTP/dhcp-186-52.testrelm.com for krbtgt/TESTRELM.COM, Additional pre-authentication required
May 07 09:20:08 dhcp-186-52.testrelm.com krb5kdc[15708](info): AS_REQ (4 etypes {18 17 16 23}) 10.16.186.52: ISSUE: authtime 1336396808, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp-186-52.testrelm.com for krbtgt/TESTRELM.COM
May 07 09:20:08 dhcp-186-52.testrelm.com krb5kdc[15708](info): TGS_REQ (4 etypes {18 17 16 23}) 10.16.186.52: ISSUE: authtime 1336396796, etypes {rep=18 tkt=18 ses=18}, HTTP/dhcp-186-52.testrelm.com for ldap/dhcp-186-52.testrelm.com
May 07 09:20:08 dhcp-186-52.testrelm.com krb5kdc[15708](info): ... CONSTRAINED-DELEGATION s4u-client=admin


version ::
ipa-server-2.2.0-12.el6.i686

Comment 11 errata-xmlrpc 2012-06-20 13:28:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html

Note You need to log in before you can comment on or make changes to this bug.