service delegation: allow to add and remove host principals #4686
Conversation
abbra
force-pushed
the
servicedelegation-for-hosts-and-aliases
branch
2 times, most recently
from
07dc9c7
to
07e8279
Compare
abbra
force-pushed
the
servicedelegation-for-hosts-and-aliases
branch
from
07e8279
to
d84b2b6
Compare
| reason=_("Malformed principal: %(error)s") % dict( | ||
| error=str(e))) | ||
|
|
||
| if len(n.components) == 1 and (n.components[0][-1] != '$'): |
There was a problem hiding this comment.
do you mean if n.is_user and not n.username.endswith("$")?
Also I don't understand what "$" means in this context. Could you add a comment, please?
There was a problem hiding this comment.
Please read the commit message.
There was a problem hiding this comment.
You cannot use #is_user, it makes no sense in the context we have here. You cannot distinguish host names and users by using that method because it only checks we have a single component.
We don't need to support users in service delegation rules, we have to add support for host principal instead. But since host principal is not a service (it is a host object) you either accept that the principal has one component (hostname itself) or do more expensive checks for existence of the host via LDAP queries. The latter is not really needed.
The only thing that prevents using this logic unconditionally are aliases for Windows-style machine accounts which consist of NetBIOS name of a machine with $ sign appended. There are at least two users of this method: Samba and SQL Server. In case they need the delegation (S4U2Proxy is OK for them both, if needed), their service delegation rule has to contain Kerberos principal alias, not the canonical name (cifs/... or MSSQLSvc/...). In that case we must not prepend host/.. to the single-component principal name.
abbra
force-pushed
the
servicedelegation-for-hosts-and-aliases
branch
from
d84b2b6
to
3fd6a8b
Compare
|
@tiran I moved the normalization part into a separate helper function and fixed most of remaining comments. There is no need to move actual attribute value check into the helper because it differs across the two callers. |
Service delegation rules and targets deal with Kerberos principals. As FreeIPA has separate service objects for hosts and Kerberos services, it is not possible to specify host principal in the service delegation rule or a target because the code assumes it always operates on Kerberos service objects. Simplify the code to add and remove members from delegation rules and targets. New code looks up a name of the principal in cn=accounts,$BASEDN as a krbPrincipalName attribute of an object with krbPrincipalAux object class. This search path is optimized already for Kerberos KDC driver. To support host principals, the specified principal name is checked to have only one component (a host name). Service principals have more than one component, typically service name and a host name, separated by '/' sign. If the principal name has only one component, the name is prepended with 'host/' to be able to find a host principal. The logic described above allows to capture also aliases of both Kerberos service and host principals. Additional check was added to allow specifying single-component aliases ending with '$' sign. These are typically used for Active Directory-related services like databases or file services. RN: service delegation rules and targets now allow to specify hosts as RN: a rule or a target's member principal. Fixes: https://pagure.io/freeipa/issue/8289 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
abbra
force-pushed
the
servicedelegation-for-hosts-and-aliases
branch
from
3fd6a8b
to
975ad53
Compare
|
master:
|
Service delegation rules and targets deal with Kerberos principals.
As FreeIPA has separate service objects for hosts and Kerberos services,
it is not possible to specify host principal in the service delegation
rule or a target because the code assumes it always operates on Kerberos
service objects.
Simplify the code to add and remove members from delegation rules and
targets. New code looks up a name of the principal in cn=accounts,$BASEDN
as a krbPrincipalName attribute of an object with krbPrincipalAux object
class. This search path is optimized already for Kerberos KDC driver.
To support host principals, the specified principal name is checked to
have only one component (a host name). Service principals have more than
one component, typically service name and a host name, separated by '/'
sign. If the principal name has only one component, the name is
prepended with 'host/' to be able to find a host principal.
The logic described above allows to capture also aliases of both
Kerberos service and host principals. Additional check was added to
allow specifying single-component aliases ending with '$' sign. These
are typically used for Active Directory-related services like databases
or file services.
RN: service delegation rules and targets now allow to specify hosts as
RN: a rule or a target's member principal.
Fixes: https://pagure.io/freeipa/issue/8289
Signed-off-by: Alexander Bokovoy abokovoy@redhat.com