Moving the ticket to the next month iteration.

Need to add option to mod_auth_kerb to set GSS_C_BOTH in gss_acquire_cred() call so we can save a copy of the ticket we receive. Otherwise no ccache is created if no TGT is delegated.

Simo's suggestion is s4u2proxy_creds_available true/false

Some implementation notes:

- Needs krb5-server-1.9.2-3.fc15.2 from ipa-devel
- Needs Simo's ipa-kdb patches in ipa-server
- Needs mod_auth_kerb patch to set GSS_C_BOTH in gss_acquire_cred()
- kinit -kt /etc/httpd/conf/ipa.keytab -c /tmp/krb5cc_48 HTTP/rawhide.example.com
- chown apache.apache /tmp/krb5cc_48
- modify ipalib/rpc.py to not set GSS_C_DELEG_FLAG
- The TGT still needs to be forwardable
- kinit admin
- ipa -vv user-show admin
- Confirm in output that Authorization is much smaller to show that no TGT is sent
- Request should work the same

Need to address this SELinux AVC where Apache can't open its own ccache:

type=AVC msg=audit(1323289708.937:27452): avc:  denied  { open } for  pid=22216 comm="httpd" name="krb5cc_48" dev=sda1 ino=458834 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

The context needs to be: system_u:object_r:httpd_tmp_t:s0

mod_auth_kerb patches submitted upstream

IPA patches submitted to list.

The srpm for the mod_auth_kerb changes can be found at http://rcritten.fedorapeople.org/mod_auth_kerb-5.4-8.fc15.ipa.src.rpm

Fedora mod_auth_kerb bug: https://bugzilla.redhat.com/show_bug.cgi?id=767740

RHEL mod_auth_kerb bug: https://bugzilla.redhat.com/show_bug.cgi?id=767741

To test the webUI.
in the browser URL box enter about:config and edit the line:
network.negotiate-auth.delegation.uris and remove the IPA server. That will stop TGT forwarding.

master: c08296a

ipa-2-2: 4f5fe04

Patch 914 still needs to be pushed. Re-opening so I don't forget to push it upstream. This patch contains the client-side changes.

attachment
freeipa-rcrit-914-2-nodelegation.patch

Moving to next month iteration.

master: 2da6d6e[[BR]]
ipa-2-2: abd3ae2