Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a skeleton kdcpolicy plugin #2147

Closed
wants to merge 3 commits into from
Closed

Add a skeleton kdcpolicy plugin #2147

wants to merge 3 commits into from

Conversation

frozencemetery
Copy link
Contributor

@frozencemetery frozencemetery commented Jul 12, 2018
edited
Loading

Signed-off-by: Robbie Harwood rharwood@redhat.com

Back in krb5-1.16 (and in RHEL-7.5), I added the kdcpolicy plugin to krb5. This interface allows a module to hook all AS and TGS requests, potentially reject them, and manipulate ticket lifetimes. This PR is a basic implementation of the interface, with all the plumbing IPA needs to get it loaded and installed.

There are two three use cases I had in mind, though of course many more are possible (this is a very powerful place to have a hook into the KDC):

  • Reduced ticket lifetimes based on auth indicator
  • Adding (well, subtracting) random jitter from certain principal lifetimes to reduce contention from groups of tickets all needing renewal simultaneously
  • Time-based access control to hosts/services

Since presumably we don't want any of that to be hardcoded behavior, the difficult part is now making it all configurable. (As well as figuring out any behavior we want to control at the moment). Per IRC conversation, I'm opening this PR so that we have something to look at while we discuss that.

BACKPORT NOTE: there's a spec file change in this PR.

@frozencemetery
Copy link
Contributor Author

(I don't think the CI failures are caused by this change, but please correct me if that's wrong.)

@tiran tiran added the re-run Trigger a new run of PR-CI label Jul 13, 2018
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Jul 13, 2018
@tiran
Copy link
Member

tiran commented Jul 16, 2018

CI is failing because named and a DNS helpe are having issues with GSSAPI:

Jul 13 12:23:25 master.ipa.test named-pkcs11[20556]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind'
Jul 13 12:23:25 master.ipa.test named-pkcs11[20556]: loading DynDB instance 'ipa' driver '/usr/lib64/bind/ldap.so'
Jul 13 12:23:25 master.ipa.test named-pkcs11[20556]: bind-dyndb-ldap version 11.1 compiled at 08:40:39 Mar  2 2018, compiler 8.0.1 20180222 (Red Hat 8.0.1-0.16)
Jul 13 12:23:25 master.ipa.test named-pkcs11[20556]: GSSAPI client step 1
Jul 13 12:23:25 master.ipa.test named-pkcs11[20556]: GSSAPI client step 1
Jul 13 12:23:25 master.ipa.test named-pkcs11[20556]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Ticket expired)
Jul 13 12:23:25 master.ipa.test named-pkcs11[20556]: LDAP error: Local error: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Ticket expired): bind to LDAP server failed
Jul 13 12:23:25 master.ipa.test named-pkcs11[20556]: couldn't establish connection in LDAP connection pool: failure
Jul 13 12:23:25 master.ipa.test named-pkcs11[20556]: dynamic database 'ipa' configuration failed: failure
Jul 13 12:23:25 master.ipa.test named-pkcs11[20556]: loading configuration: failure
Jul 13 12:23:25 master.ipa.test named-pkcs11[20556]: exiting (due to fatal error)
Jul 13 12:23:25 master.ipa.test systemd[1]: named-pkcs11.service: Control process exited, code=exited status=1
Jul 13 12:23:25 master.ipa.test systemd[1]: named-pkcs11.service: Failed with result 'exit-code'.
Jul 13 12:23:25 master.ipa.test systemd[1]: Failed to start Berkeley Internet Name Domain (DNS) with native PKCS#11.
Jul 13 12:23:25 master.ipa.test audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=named-pkcs11 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Jul 13 12:23:26 master.ipa.test ldappasswd[20562]: DIGEST-MD5 common mech free
Jul 13 12:23:27 master.ipa.test audit[20546]: AVC avc:  denied  { getattr } for  pid=20546 comm="ipa-dnskeysyncd" path="/usr/lib/systemd/system/fedora-domainname.service" dev="vda1" ino=400526 scontext=system_u:system_r:ipa_dnskey_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
Jul 13 12:23:30 master.ipa.test audit[20301]: AVC avc:  denied  { getattr } for  pid=20301 comm="httpd" path="/usr/lib/systemd/system/fedora-domainname.service" dev="vda1" ino=400526 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=1
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]: ipa-dnskeysyncd: INFO     LDAP bind...
Jul 13 12:23:31 master.ipa.test python3[20546]: GSSAPI client step 1
Jul 13 12:23:31 master.ipa.test python3[20546]: GSSAPI client step 1
Jul 13 12:23:31 master.ipa.test python3[20546]: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Ticket expired)
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]: Traceback (most recent call last):
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]:   File "/usr/libexec/ipa/ipa-dnskeysyncd", line 96, in <module>
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]:     ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI)
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]:   File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 1228, in sasl_interactive_bind_s
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]:     res = self._apply_method_s(SimpleLDAPObject.sasl_interactive_bind_s,*args,**kwargs)
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]:   File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 1197, in _apply_method_s
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]:     return func(self,*args,**kwargs)
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]:   File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 465, in sasl_interactive_bind_s
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]:     return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls),sasl_flags)
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]:   File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 329, in _ldap_call
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]:     reraise(exc_type, exc_value, exc_traceback)
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]:   File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 44, in reraise
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]:     raise exc_value
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]:   File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 313, in _ldap_call
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]:     result = func(*args,**kwargs)
Jul 13 12:23:31 master.ipa.test ipa-dnskeysyncd[20546]: ldap.LOCAL_ERROR: {'desc': 'Local error', 'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Ticket expired)'}
Jul 13 12:23:31 master.ipa.test systemd[1]: ipa-dnskeysyncd.service: Main process exited, code=exited, status=1/FAILURE
Jul 13 12:23:31 master.ipa.test systemd[1]: ipa-dnskeysyncd.service: Failed with result 'exit-code'.
``

@frozencemetery
Copy link
Contributor Author

Fixed CI. Thanks for pointing me at the failure.

@tiran
Copy link
Member

tiran commented Jul 17, 2018

You are using augeas to modify krb5 configuration. AFAIK we decided against augeas because augeas cannot handle all edge cases of krb5.conf.

@frozencemetery
Copy link
Contributor Author

This is how the certauth plugin gets set up. I'm happy to move that as well, if you like. It makes sense to me to put this in a snippet in krb5.conf.d.

Problem is, there's no hook that I can see right now that upgrades clients. Conceptually, these plugins are "server stuff" (though that lives in krb5.conf because not all plugins are server plugins). While I can work around this for the server plugins, it means that the /etc/krb5.conf.d/freeipa file doesn't get updated (which means SPAKE doesn't get enabled on IPA client upgrade).

Suggestions?

@frozencemetery frozencemetery force-pushed the kdcpolicy branch 2 times, most recently from fb34a1b to 04ddf96 Compare July 20, 2018 20:27
@frozencemetery
Copy link
Contributor Author

Answering my own question. First commit makes it so that the snippet is re-written on update. Second commit is the kdcpolicy plugin, now using the snippet. Third commit moves the certauth plugin into the snippet by analogy. @tiran, ready for review (assuming it passes CI).

@frozencemetery
Copy link
Contributor Author

test_forced_client_enrolment appears to be a DNF failure? I guess you already know I have a lot of trouble figuring out what went wrong in the CI. I can't see any logs for test_advise or replica_promotion.

@netoarmando netoarmando added the re-run Trigger a new run of PR-CI label Aug 6, 2018
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Aug 6, 2018
@rcritten rcritten added the re-run Trigger a new run of PR-CI label Aug 16, 2018
@freeipa-pr-ci freeipa-pr-ci removed the re-run Trigger a new run of PR-CI label Aug 16, 2018
rcritten
rcritten reviewed Aug 16, 2018
View reviewed changes
client/share/freeipa.template Outdated
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't ipadb.so only shipped in servers now?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, ipadb.so is only available in ipa-server package. Please move the snippet to a server specific template.

rcritten
rcritten reviewed Aug 16, 2018
View reviewed changes
freeipa.spec.in
@@ -1241,10 +1241,12 @@ if [ $1 -gt 1 ] ; then
cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem
cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem
fi

%{python} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
fi
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might want/need an ipa-client-upgrade script to do this instead, if at least for other distros (perhaps outside the scope of this PR).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That was my thought as well. We'd probably want to include the cert stuff above it if we ever make such a tool.

@rcritten
Copy link
Contributor

How/where would policy eventually be defined, or is that out-of-scope of this PR?

@frozencemetery
Copy link
Contributor Author

That's sort of the question I was hoping having code in hand would answer.

I assume configuration of this kind has to live in LDAP? I don't know where though. We also will need an interface to modify it.

@rcritten
Copy link
Contributor

Right, it's sort of a chicken-and-egg problem I guess but there seems to be lack of context around this. It should probably be included as part of some initiative to actually include policy in the server.

This PR would add a bunch of configuration, running code, etc to a new install that effectively is a no-op (hopefully). I just don't know where/how to land this as-is.

@freeipa-pr-ci freeipa-pr-ci added needs rebase Pull Request cannot be automatically merged - needs to be rebased labels Sep 6, 2018
tiran
tiran requested changes Apr 2, 2019
View reviewed changes
Copy link
Member

@tiran tiran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please address the comment and rebase the PR.

client/share/freeipa.template Outdated
certauth = {
module = ipakdb:kdb/ipadb.so
enable_only = ipakdb
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, ipadb.so is only available in ipa-server package. Please move the snippet to a server specific template.

@frozencemetery
Enable krb5 snippet updates on client update
f037392 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
@frozencemetery
Copy link
Contributor Author

Updated and rebased. (Note that it's not technically an issue to have such configuration on the client, but you're right it's cleaner this way.)

@tiran
Copy link
Member

tiran commented Apr 12, 2019

Installation is failing with

2019-04-11T22:37:29Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 603, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 589, in run_step
    method()
  File "/usr/lib/python3.7/site-packages/ipaserver/install/krbinstance.py", line 351, in __configure_instance
    self.__template_file(paths.KRB5_FREEIPA_SERVER)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/krbinstance.py", line 321, in __template_file
    conf = ipautil.template_file(template, self.sub_dict)
  File "/usr/lib/python3.7/site-packages/ipapython/ipautil.py", line 318, in template_file
    with open(infilename) as f:
FileNotFoundError: [Errno 2] No such file or directory: '/usr/share/ipa/freeipa-server.template'

tiran
tiran requested changes Apr 12, 2019
View reviewed changes
install/share/freeipa-server.template
@@ -0,0 +1,9 @@
[plugins]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build system doesn't pick up new files automatically. You have to add this file to Makefile.am and maybe freeipa.spec.in

@tiran tiran added ipa-next Mark as master (4.13) only needs review Pull Request is waiting for a review and removed needs rebase Pull Request cannot be automatically merged - needs to be rebased labels Apr 12, 2019
@frozencemetery
Move certauth configuration into a server krb5.conf template
fbcb90c 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
@frozencemetery
Add a skeleton kdcpolicy plugin
cdb8521 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
@simo5 simo5 mentioned this pull request Jul 31, 2019
Closed
@frozencemetery
Copy link
Contributor Author

Closing this to avoid confusion since it's been subsumed by #3358.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rcritten rcritten rcritten left review comments

@tiran tiran tiran requested changes

Assignees
No one assigned
Labels
ipa-next Mark as master (4.13) only needs review Pull Request is waiting for a review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@frozencemetery @tiran @rcritten @netoarmando @freeipa-pr-ci