Using this we would be able to run of globally forwardable tickets.
http://k5wiki.kerberos.org/wiki/Projects/Services4User
Moving the ticket to the next month iteration.
Need to add option to mod_auth_kerb to set GSS_C_BOTH in gss_acquire_cred() call so we can save a copy of the ticket we receive. Otherwise no ccache is created if no TGT is delegated.
Simo's suggestion is s4u2proxy_creds_available true/false
Some implementation notes:
- Needs krb5-server-1.9.2-3.fc15.2 from ipa-devel - Needs Simo's ipa-kdb patches in ipa-server - Needs mod_auth_kerb patch to set GSS_C_BOTH in gss_acquire_cred() - kinit -kt /etc/httpd/conf/ipa.keytab -c /tmp/krb5cc_48 HTTP/rawhide.example.com - chown apache.apache /tmp/krb5cc_48 - modify ipalib/rpc.py to not set GSS_C_DELEG_FLAG - The TGT still needs to be forwardable - kinit admin - ipa -vv user-show admin - Confirm in output that Authorization is much smaller to show that no TGT is sent - Request should work the same
Need to address this SELinux AVC where Apache can't open its own ccache:
type=AVC msg=audit(1323289708.937:27452): avc: denied { open } for pid=22216 comm="httpd" name="krb5cc_48" dev=sda1 ino=458834 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
The context needs to be: system_u:object_r:httpd_tmp_t:s0
mod_auth_kerb patches submitted upstream
IPA patches submitted to list.
The srpm for the mod_auth_kerb changes can be found at http://rcritten.fedorapeople.org/mod_auth_kerb-5.4-8.fc15.ipa.src.rpm
Fedora mod_auth_kerb bug: https://bugzilla.redhat.com/show_bug.cgi?id=767740
RHEL mod_auth_kerb bug: https://bugzilla.redhat.com/show_bug.cgi?id=767741
To test the webUI. in the browser URL box enter about:config and edit the line: network.negotiate-auth.delegation.uris and remove the IPA server. That will stop TGT forwarding.
master: c08296a
ipa-2-2: 4f5fe04
Patch 914 still needs to be pushed. Re-opening so I don't forget to push it upstream. This patch contains the client-side changes.
attachment freeipa-rcrit-914-2-nodelegation.patch
Moving to next month iteration.
master: 2da6d6e[[BR]] ipa-2-2: abd3ae2
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/02
Login to comment on this ticket.