[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ We need to find why it breaks though, but yeah I think we can go forward with this patch of others agree. Can you open a separate bug for the failure you got ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298898148 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ I meant my setup was unclean. I will try to reproduce here. Does master w/o this patch work properly against 4.4.4 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298889962 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ I've seen this once but thought it was a fluke due to my "unclean" master, as the following times it did not happen. Can you reproduce the error against 4.4.4 consistently ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298886632 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Turned out my master had some more relaxed permissions I added when developing the feature. I now have added a new function to just check for the host keys without asking for data that cannot be read with the identity we have available. This has been tested and seems to work correctly. Please check @stlaz """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298767350 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 From 0e70f02180e2ada8862fbd8d42a42f07a8cabbb9 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Fri, 31 Mar 2017 11:22:45 -0400 Subject: [PATCH] Make sure remote hosts have our keys In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6838 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipaserver/install/custodiainstance.py | 28 +++- ipaserver/secrets/kem.py | 12 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index 6a61392..390576b 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -1,6 +1,6 @@ # Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license. -from ipaserver.secrets.kem import IPAKEMKeys +from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap from ipaserver.secrets.client import CustodiaClient from ipaplatform.paths import paths from ipaplatform.constants import constants @@ -18,6 +18,7 @@ import os import stat import tempfile +import time import pwd @@ -122,6 +123,27 @@ def import_dm_password(self, master_host_name): cli = self.__CustodiaClient(server=master_host_name) cli.fetch_key('dm/DMHash') +def __wait_keys(self, host, timeout=300): +ldap_uri = 'ldap://%s' % host +deadline = int(time.time()) + timeout +root_logger.info("Waiting up to {} seconds to see our keys " + "appear on host: {}".format(timeout, host)) + +konn = KEMLdap(ldap_uri) +saved_e = None +while True: +try: +return konn.check_host_keys(self.fqdn) +except Exception as e: +# log only once for the same error +if not isinstance(e, type(saved_e)): +root_logger.debug( +"Transient error getting keys: '{err}'".format(err=e)) +saved_e = e +if int(time.time()) > deadline: +raise RuntimeError("Timed out trying to obtain keys.") +time.sleep(1) + def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): # Fecth all needed certs one by one, then combine them in a single # p12 file @@ -129,6 +151,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): prefix = data['prefix'] certlist = data['list'] +# Before we attempt to fetch keys from this host, make sure our public +# keys have been replicated there. +self.__wait_keys(ca_host) + cli = self.__CustodiaClient(server=ca_host) # Temporary nssdb diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py index 28fb4d3..c1991c6 100644 --- a/ipaserver/secrets/kem.py +++ b/ipaserver/secrets/kem.py @@ -24,6 +24,7 @@ IPA_REL_BASE_DN = 'cn=custodia,cn=ipa,cn=etc' IPA_KEYS_QUERY = '(&(ipaKeyUsage={usage:s})(memberPrincipal={princ:s}))' +IPA_CHECK_QUERY = '(cn=enc/{host:s})' RFC5280_USAGE_MAP = {KEY_USAGE_SIG: 'digitalSignature', KEY_USAGE_ENC: 'dataEncipherment'} @@ -78,6 +79,17 @@ def get_key(self, usage, principal): jwk['use'] = KEY_USAGE_MAP[usage] return json_encode(jwk) +def check_host_keys(self, host): +conn = self.connect() +scope = ldap.SCOPE_SUBTREE + +ldap_filter = self.build_filter(IPA_CHECK_QUERY, {'host': host}) +r = conn.search_s(self.keysbase, scope, ldap_filter) +if len(r) != 1: +raise ValueError("Incorrect number of results (%d) searching for" + "public key for %s" % (len(r), host)) +return True + def _format_public_key(self, key): if isinstance(key, str): jwkey = json_decode(key) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Nevermind I finally reproduced """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298750030 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ @stlaz just FYI, I am sking this info because I cannot reproduce locally with a single replica. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298748943 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Can you please attach more of the logs before the failure ? """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-298734189 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records
URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records simo5 commented: """ We can probably defer. """ See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298087667 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records
URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records simo5 commented: """ @MartinBasti In this case we need a way to tell the system what are the priorities and which protocols are enabled, priorities are important too, admins need to be able to change them as they see fit. """ See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298037434 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records
URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records simo5 commented: """ I am not entirely sure we want to care for the cse where an admin disables KDC Proxy in an automatic fashion; otherwise we would also need to check if TCP or UDP are disabled and change that too. FreeIPA as a product enables TCP/UDP and proxy and an admin that wants to change this by manually changing configurations should also take care of manually changing the URI records in DNS I think. Just like they would need to change records in DNS if either TCP or UDP protocols were disabled. However if it is overly simple to detect and update records based on enabled protocols I am not against doing so. """ See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298032999 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#742][+ack] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/742 Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#743][+ack] [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/743 Title: #743: [ipa-4-5] Revert "Store GSSAPI session key in /var/run/ipa" Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#742][-ack] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/742 Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#742][+ack] Revert "Store GSSAPI session key in /var/run/ipa"
URL: https://github.com/freeipa/freeipa/pull/742 Title: #742: Revert "Store GSSAPI session key in /var/run/ipa" Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd simo5 commented: """ The current patch moved the key in a place where apache cannot write, resulting in an ephemeral key that is thrown away each time apache is restarted/reloaded. """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297701456 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd simo5 commented: """ As I noted in the ticket: "At most you may want to store it in /var/lib/ipa/somewhere, but we do not want to break sessions (there are people using APIs from non-interactive scripts) just because you needed to restart a service/server quickly. These keys are considered long term keys, and should not be thrown away at each reboot." Let me also add that: 1. the directory needs to be writable by the apache user as the key is created the first time the server is started 2. only the apache user must be able to read this key """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297701218 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][reopened] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Author: MartinBasti Title: #723: Store GSSAPI session key in /var/run/httpd Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/723/head:pr723 git checkout pr723 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd simo5 commented: """ This patch is wrong please revert """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-297699615 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#738][comment] restore: restart gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/738 Title: #738: restore: restart gssproxy after restore simo5 commented: """ will a "systemctl reload gssproxy" do the right thing @frozencemetery ? """ See the full comment at https://github.com/freeipa/freeipa/pull/738#issuecomment-297543414 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#738][comment] restore: restart gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/738 Title: #738: restore: restart gssproxy after restore simo5 commented: """ The name of the project is GSS-Proxy, the package name is gssproxy. """ See the full comment at https://github.com/freeipa/freeipa/pull/738#issuecomment-297484796 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 From d81c6575847d5b4a772c0ca75736e2408d8fb244 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Fri, 31 Mar 2017 11:22:45 -0400 Subject: [PATCH] Make sure remote hosts have our keys In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6838 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipaserver/install/custodiainstance.py | 31 ++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index 6a61392..5936151 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -1,6 +1,7 @@ # Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license. -from ipaserver.secrets.kem import IPAKEMKeys +from custodia.message.kem import KEY_USAGE_ENC +from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap from ipaserver.secrets.client import CustodiaClient from ipaplatform.paths import paths from ipaplatform.constants import constants @@ -18,6 +19,7 @@ import os import stat import tempfile +import time import pwd @@ -122,6 +124,29 @@ def import_dm_password(self, master_host_name): cli = self.__CustodiaClient(server=master_host_name) cli.fetch_key('dm/DMHash') +def __wait_keys(self, host, timeout=300): +ldap_uri = 'ldap://%s' % host +principal = 'host/%s@%s' % (self.fqdn, self.realm) +deadline = int(time.time()) + timeout +root_logger.info("Waiting up to {} seconds to see our keys " + "appear on host: {}".format(timeout, host)) + +konn = KEMLdap(ldap_uri) +saved_e = None +while True: +try: +konn.get_key(KEY_USAGE_ENC, principal) +return +except Exception as e: +# log only once for the same error +if not isinstance(e, type(saved_e)): +root_logger.debug( +"Transient error getting keys: '{err}'".format(err=e)) +saved_e = e +if int(time.time()) > deadline: +raise RuntimeError("Timed out trying to obtain keys.") +time.sleep(1) + def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): # Fecth all needed certs one by one, then combine them in a single # p12 file @@ -129,6 +154,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): prefix = data['prefix'] certlist = data['list'] +# Before we attempt to fetch keys from this host, make sure our public +# keys have been replicated there. +self.__wait_keys(ca_host) + cli = self.__CustodiaClient(server=ca_host) # Temporary nssdb -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#727][+ack] Regenerate ASN.1 code with asn1c 0.9.28
URL: https://github.com/freeipa/freeipa/pull/727 Title: #727: Regenerate ASN.1 code with asn1c 0.9.28 Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#709][opened] Fix s4u2self with adtrust
URL: https://github.com/freeipa/freeipa/pull/709 Author: simo5 Title: #709: Fix s4u2self with adtrust Action: opened PR body: """ When ADtrust is installed we add a PAC to all tickets, during protocol transition we need to generate a new PAC for the requested user ticket, not check the existing PAC on the requestor ticket. https://pagure.io/freeipa/issue/6862 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/709/head:pr709 git checkout pr709 From ee2c16a6dfeda15bebd29da73411deb23c7308dd Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 10 Apr 2017 15:32:54 -0400 Subject: [PATCH] Fix s4u2self with adtrust When ADtrust is installed we add a PAC to all tickets, during protocol transition we need to generate a new PAC for the requested user ticket, not check the existing PAC on the requestor ticket. https://pagure.io/freeipa/issue/6862 Signed-off-by: Simo Sorce <s...@redhat.com> --- daemons/ipa-kdb/ipa_kdb_mspac.c | 14 ++ 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index cf1bd5b..00cc19c 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -2117,6 +2117,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, struct ipadb_context *ipactx; bool with_pac; bool with_pad; +bool make_ad = false; int result; krb5_db_entry *client_entry = NULL; krb5_boolean is_equal; @@ -2165,7 +2166,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, "currently not supported."); } -if (is_as_req && with_pac && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { +/* we need to create a PAC if we are requested one and this is an AS REQ, + * or we are doing protocol transition (s4u2self) */ +if ((is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) || +(flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) { +make_ad = true; +} + +if (with_pac && make_ad) { /* Be aggressive here: special case for discovering range type * immediately after establishing the trust by IPA framework */ if ((krb5_princ_size(context, ks_client_princ) == 2) && @@ -2188,9 +2196,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, if (kerr != 0 && kerr != ENOENT) { goto done; } -} - -if (!is_as_req && with_pac) { +} else if (with_pac && !is_as_req) { /* find the existing PAC, if present */ kerr = krb5_find_authdata(context, tgt_auth_data, NULL, KRB5_AUTHDATA_WIN2K_PAC, _auth_data); -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 From 5d9103248e510a3c64314fe59284a8420a6f3a67 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Fri, 31 Mar 2017 11:22:45 -0400 Subject: [PATCH] Make sure remote hosts have our keys In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6838 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipaserver/install/custodiainstance.py | 25 - 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index 6a61392..d60276a 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -1,6 +1,7 @@ # Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license. -from ipaserver.secrets.kem import IPAKEMKeys +from custodia.message.kem import KEY_USAGE_ENC +from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap from ipaserver.secrets.client import CustodiaClient from ipaplatform.paths import paths from ipaplatform.constants import constants @@ -18,6 +19,7 @@ import os import stat import tempfile +import time import pwd @@ -122,6 +124,23 @@ def import_dm_password(self, master_host_name): cli = self.__CustodiaClient(server=master_host_name) cli.fetch_key('dm/DMHash') +def __wait_keys(self, host, timeout=300): +ldap_uri = 'ldap://%s' % host +principal = 'host/%s@%s' % (self.fqdn, self.realm) +deadline = int(time.time()) + timeout +root_logger.info("Waiting up to {} seconds to see our keys " + "appear on host: {}".format(timeout, host)) + +konn = KEMLdap(ldap_uri) +while True: +try: +konn.get_key(KEY_USAGE_ENC, principal) +return +except Exception: +if int(time.time()) > deadline: +raise +time.sleep(1) + def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): # Fecth all needed certs one by one, then combine them in a single # p12 file @@ -129,6 +148,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): prefix = data['prefix'] certlist = data['list'] +# Before we attempt to fetch keys from this host, make sure our public +# keys have been replicated there. +self.__wait_keys(ca_host) + cli = self.__CustodiaClient(server=ca_host) # Temporary nssdb -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ Nevermind they are not duplicates. I'll fix the commit message. """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-291557263 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 From 23202d83b965df7d0a879ecde02b706beb6f90cc Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Fri, 31 Mar 2017 11:22:45 -0400 Subject: [PATCH] Make sure remote hosts have our keys In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6688 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipaserver/install/custodiainstance.py | 25 - 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index 6a61392..d60276a 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -1,6 +1,7 @@ # Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license. -from ipaserver.secrets.kem import IPAKEMKeys +from custodia.message.kem import KEY_USAGE_ENC +from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap from ipaserver.secrets.client import CustodiaClient from ipaplatform.paths import paths from ipaplatform.constants import constants @@ -18,6 +19,7 @@ import os import stat import tempfile +import time import pwd @@ -122,6 +124,23 @@ def import_dm_password(self, master_host_name): cli = self.__CustodiaClient(server=master_host_name) cli.fetch_key('dm/DMHash') +def __wait_keys(self, host, timeout=300): +ldap_uri = 'ldap://%s' % host +principal = 'host/%s@%s' % (self.fqdn, self.realm) +deadline = int(time.time()) + timeout +root_logger.info("Waiting up to {} seconds to see our keys " + "appear on host: {}".format(timeout, host)) + +konn = KEMLdap(ldap_uri) +while True: +try: +konn.get_key(KEY_USAGE_ENC, principal) +return +except Exception: +if int(time.time()) > deadline: +raise +time.sleep(1) + def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): # Fecth all needed certs one by one, then combine them in a single # p12 file @@ -129,6 +148,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): prefix = data['prefix'] certlist = data['list'] +# Before we attempt to fetch keys from this host, make sure our public +# keys have been replicated there. +self.__wait_keys(ca_host) + cli = self.__CustodiaClient(server=ca_host) # Temporary nssdb -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][opened] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: opened PR body: """ In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6688 Signed-off-by: Simo Sorce <s...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 From f51e478fb79cda153a6d0483369f0159088423fb Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Fri, 31 Mar 2017 11:22:45 -0400 Subject: [PATCH] Make sure remote hosts have our keys In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6688 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipaserver/install/custodiainstance.py | 27 +-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index 6a61392..4d6e7ba 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -1,15 +1,17 @@ # Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license. -from ipaserver.secrets.kem import IPAKEMKeys +from custodia.message.kem import KEY_USAGE_ENC +from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap from ipaserver.secrets.client import CustodiaClient from ipaplatform.paths import paths from ipaplatform.constants import constants from ipaserver.install.service import SimpleServiceInstance -from ipapython import ipautil +from ipapython import ipautil, ipaldap from ipapython.ipa_log_manager import root_logger from ipapython.certdb import NSSDatabase from ipaserver.install import installutils from ipaserver.install import ldapupdate +from ipaserver.install import replication from ipaserver.install import sysupgrade from base64 import b64decode from jwcrypto.common import json_decode @@ -18,6 +20,7 @@ import os import stat import tempfile +import time import pwd @@ -122,6 +125,22 @@ def import_dm_password(self, master_host_name): cli = self.__CustodiaClient(server=master_host_name) cli.fetch_key('dm/DMHash') +def __wait_keys(self, host, timeout=300): +ldap_uri = 'ldap://%s' % host +principal = 'host/%s@%s' % (self.fqdn, self.realm) +deadline = int(time.time()) + timeout + +result = None +konn = KEMLdap(ldap_uri) +while True: +try: +konn.get_key(KEY_USAGE_ENC, principal) +return +except Exception as e: +if int(time.time()) > deadline: +raise e +time.sleep(1) + def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): # Fecth all needed certs one by one, then combine them in a single # p12 file @@ -129,6 +148,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): prefix = data['prefix'] certlist = data['list'] +# Before we attempt to fetch keys from this host, make sure our public +# keys have been replicated there. +sel.__wait_keys(ca_host) + cli = self.__CustodiaClient(server=ca_host) # Temporary nssdb -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][comment] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Title: #679: Make sure remote hosts have our keys simo5 commented: """ I haven't tested this yet ... but what could possibily go wrong? :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/679#issuecomment-290762100 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 From f2835bfcef51e10f05aa1f699e0a79206c55e554 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Fri, 31 Mar 2017 11:22:45 -0400 Subject: [PATCH] Make sure remote hosts have our keys In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6688 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipaserver/install/custodiainstance.py | 29 +++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index 6a61392..f560172 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -1,15 +1,17 @@ # Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license. -from ipaserver.secrets.kem import IPAKEMKeys +from custodia.message.kem import KEY_USAGE_ENC +from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap from ipaserver.secrets.client import CustodiaClient from ipaplatform.paths import paths from ipaplatform.constants import constants from ipaserver.install.service import SimpleServiceInstance -from ipapython import ipautil +from ipapython import ipautil, ipaldap from ipapython.ipa_log_manager import root_logger from ipapython.certdb import NSSDatabase from ipaserver.install import installutils from ipaserver.install import ldapupdate +from ipaserver.install import replication from ipaserver.install import sysupgrade from base64 import b64decode from jwcrypto.common import json_decode @@ -18,6 +20,7 @@ import os import stat import tempfile +import time import pwd @@ -122,6 +125,24 @@ def import_dm_password(self, master_host_name): cli = self.__CustodiaClient(server=master_host_name) cli.fetch_key('dm/DMHash') +def __wait_keys(self, host, timeout=300): +ldap_uri = 'ldap://%s' % host +principal = 'host/%s@%s' % (self.fqdn, self.realm) +deadline = int(time.time()) + timeout +root_logger.info("Waiting up to {} seconds to see our keys " + "appear on host: {}".format(timeout, host)) + +result = None +konn = KEMLdap(ldap_uri) +while True: +try: +konn.get_key(KEY_USAGE_ENC, principal) +return +except Exception: +if int(time.time()) > deadline: +raise +time.sleep(1) + def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): # Fecth all needed certs one by one, then combine them in a single # p12 file @@ -129,6 +150,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): prefix = data['prefix'] certlist = data['list'] +# Before we attempt to fetch keys from this host, make sure our public +# keys have been replicated there. +sel.__wait_keys(ca_host) + cli = self.__CustodiaClient(server=ca_host) # Temporary nssdb -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#679][synchronized] Make sure remote hosts have our keys
URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679 From cefe3dfb81d0a78072fa03c14e6265c261bae162 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Fri, 31 Mar 2017 11:22:45 -0400 Subject: [PATCH] Make sure remote hosts have our keys In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6688 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipaserver/install/custodiainstance.py | 28 ++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index 6a61392..38035b4 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -1,15 +1,17 @@ # Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license. -from ipaserver.secrets.kem import IPAKEMKeys +from custodia.message.kem import KEY_USAGE_ENC +from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap from ipaserver.secrets.client import CustodiaClient from ipaplatform.paths import paths from ipaplatform.constants import constants from ipaserver.install.service import SimpleServiceInstance -from ipapython import ipautil +from ipapython import ipautil, ipaldap from ipapython.ipa_log_manager import root_logger from ipapython.certdb import NSSDatabase from ipaserver.install import installutils from ipaserver.install import ldapupdate +from ipaserver.install import replication from ipaserver.install import sysupgrade from base64 import b64decode from jwcrypto.common import json_decode @@ -18,6 +20,7 @@ import os import stat import tempfile +import time import pwd @@ -122,6 +125,23 @@ def import_dm_password(self, master_host_name): cli = self.__CustodiaClient(server=master_host_name) cli.fetch_key('dm/DMHash') +def __wait_keys(self, host, timeout=300): +ldap_uri = 'ldap://%s' % host +principal = 'host/%s@%s' % (self.fqdn, self.realm) +deadline = int(time.time()) + timeout +root_logger.info("Waiting to see our keys appear on %s".format(host)) + +result = None +konn = KEMLdap(ldap_uri) +while True: +try: +konn.get_key(KEY_USAGE_ENC, principal) +return +except Exception: +if int(time.time()) > deadline: +raise +time.sleep(1) + def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): # Fecth all needed certs one by one, then combine them in a single # p12 file @@ -129,6 +149,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): prefix = data['prefix'] certlist = data['list'] +# Before we attempt to fetch keys from this host, make sure our public +# keys have been replicated there. +sel.__wait_keys(ca_host) + cli = self.__CustodiaClient(server=ca_host) # Temporary nssdb -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#664][opened] Backport of client session storage patches
URL: https://github.com/freeipa/freeipa/pull/664 Author: simo5 Title: #664: Backport of client session storage patches Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/664/head:pr664 git checkout pr664 From 00457bdbb587aee442768582b24e5b29dfdafa10 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Tue, 14 Mar 2017 18:20:13 +0100 Subject: [PATCH 1/5] Python 3: Fix session storage ctypes can only handle bytes, not text. Encode and decode all incoming and outgoing text from UTF-8 to bytes. Signed-off-by: Christian Heimes <chei...@redhat.com> Reviewed-By: Simo Sorce <sso...@redhat.com> --- ipapython/session_storage.py | 19 ++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py index 7fe17fb..bcf0947 100644 --- a/ipapython/session_storage.py +++ b/ipapython/session_storage.py @@ -104,6 +104,13 @@ def store_data(princ_name, key, value): """ Stores the session cookie in a hidden ccache entry. """ +if not isinstance(princ_name, bytes): +princ_name = princ_name.encode('utf-8') +if not isinstance(key, bytes): +key = key.encode('ascii') +if not isinstance(value, bytes): +value = value.encode('utf-8') + context = krb5_context() principal = krb5_principal() ccache = krb5_ccache() @@ -136,6 +143,11 @@ def get_data(princ_name, key): """ Gets the session cookie in a hidden ccache entry. """ +if not isinstance(princ_name, bytes): +princ_name = princ_name.encode('utf-8') +if not isinstance(key, bytes): +key = key.encode('utf-8') + context = krb5_context() principal = krb5_principal() ccache = krb5_ccache() @@ -152,7 +164,7 @@ def get_data(princ_name, key): krb5_cc_get_config(context, ccache, principal, key, ctypes.byref(data)) -return str(data.data) +return data.data.decode('utf-8') finally: if principal: @@ -169,6 +181,11 @@ def remove_data(princ_name, key): """ Removes the hidden ccache entry with the session cookie. """ +if not isinstance(princ_name, bytes): +princ_name = princ_name.encode('utf-8') +if not isinstance(key, bytes): +key = key.encode('utf-8') + context = krb5_context() principal = krb5_principal() ccache = krb5_ccache() From 6a456dd40c861cdc37359f67e24ef9bc3dfea053 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Wed, 22 Mar 2017 18:25:38 -0400 Subject: [PATCH 2/5] Avoid growing FILE ccaches unnecessarily Related https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipapython/session_storage.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py index bcf0947..f208827 100644 --- a/ipapython/session_storage.py +++ b/ipapython/session_storage.py @@ -111,6 +111,12 @@ def store_data(princ_name, key, value): if not isinstance(value, bytes): value = value.encode('utf-8') +# FILE ccaches grow every time an entry is stored, so we need +# to avoid storing the same entry multiple times. +oldvalue = get_data(princ_name, key) +if oldvalue == value: +return + context = krb5_context() principal = krb5_principal() ccache = krb5_ccache() From afb87ae3b7e08e42f4bd2399f48a0f2c45012cb2 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Wed, 22 Mar 2017 18:38:22 -0400 Subject: [PATCH 3/5] Handle failed authentication via cookie If cookie authentication fails and we get back a 401 see if we tried a SPNEGO auth by checking if we had a GSSAPI context. If not it means our session cookie was invalid or expired or some other error happened on the server that requires us to try a full SPNEGO handshake, so go ahead and try it. Fixes https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipalib/rpc.py | 52 1 file changed, 32 insertions(+), 20 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 303b22a..f597ce0 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -586,22 +586,33 @@ def _handle_exception(self, e, service=None): else: raise errors.KerberosError(message=unicode(e)) -def get_host_info(self, host): +def _get_host(self): +return self._connection[0] + +def _remove_extra_header(self, name): +for (h, v) in self._extra_headers: +if h == name: +self._extra_headers.remove((h, v)) +break + +def get_auth_info(self, use_cooki
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ Should I make a new PR for 4.5 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289761195 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][synchronized] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Author: simo5 Title: #649: Session cookie storage and handling fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/649/head:pr649 git checkout pr649 From 9fd0b4ce68daac2edbc38ccc743d4b7c1fafdf9d Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Wed, 22 Mar 2017 18:25:38 -0400 Subject: [PATCH 1/4] Avoid growing FILE ccaches unnecessarily Related https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipapython/session_storage.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py index bcf0947..f208827 100644 --- a/ipapython/session_storage.py +++ b/ipapython/session_storage.py @@ -111,6 +111,12 @@ def store_data(princ_name, key, value): if not isinstance(value, bytes): value = value.encode('utf-8') +# FILE ccaches grow every time an entry is stored, so we need +# to avoid storing the same entry multiple times. +oldvalue = get_data(princ_name, key) +if oldvalue == value: +return + context = krb5_context() principal = krb5_principal() ccache = krb5_ccache() From 7653192d67de8d6b19259ece49f6c1d31f788665 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Wed, 22 Mar 2017 18:38:22 -0400 Subject: [PATCH 2/4] Handle failed authentication via cookie If cookie authentication fails and we get back a 401 see if we tried a SPNEGO auth by checking if we had a GSSAPI context. If not it means our session cookie was invalid or expired or some other error happened on the server that requires us to try a full SPNEGO handshake, so go ahead and try it. Fixes https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipalib/rpc.py | 52 1 file changed, 32 insertions(+), 20 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 303b22a..f597ce0 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -586,22 +586,33 @@ def _handle_exception(self, e, service=None): else: raise errors.KerberosError(message=unicode(e)) -def get_host_info(self, host): +def _get_host(self): +return self._connection[0] + +def _remove_extra_header(self, name): +for (h, v) in self._extra_headers: +if h == name: +self._extra_headers.remove((h, v)) +break + +def get_auth_info(self, use_cookie=True): """ Two things can happen here. If we have a session we will add a cookie for that. If not we will set an Authorization header. """ -(host, extra_headers, x509) = SSLTransport.get_host_info(self, host) - -if not isinstance(extra_headers, list): -extra_headers = [] +if not isinstance(self._extra_headers, list): +self._extra_headers = [] -session_cookie = getattr(context, 'session_cookie', None) -if session_cookie: -extra_headers.append(('Cookie', session_cookie)) -return (host, extra_headers, x509) +# Remove any existing Cookie first +self._remove_extra_header('Cookie') +if use_cookie: +session_cookie = getattr(context, 'session_cookie', None) +if session_cookie: +self._extra_headers.append(('Cookie', session_cookie)) +return # Set the remote host principal +host = self._get_host() service = self.service + "@" + host.split(':')[0] try: @@ -616,18 +627,14 @@ def get_host_info(self, host): except gssapi.exceptions.GSSError as e: self._handle_exception(e, service=service) -self._set_auth_header(extra_headers, response) - -return (host, extra_headers, x509) +self._set_auth_header(response) -def _set_auth_header(self, extra_headers, token): -for (h, v) in extra_headers: -if h == 'Authorization': -extra_headers.remove((h, v)) -break +def _set_auth_header(self, token): +# Remove any existing authorization header first +self._remove_extra_header('Authorization') if token: -extra_headers.append( +self._extra_headers.append( ('Authorization', 'negotiate %s' % base64.b64encode(token).decode('ascii')) ) @@ -651,18 +658,23 @@ def _auth_complete(self, response): if self._sec_context.complete: self._sec_context = None return True -self._set_auth_header(self._extra_headers, token) +self._set_auth_header(token) +return False +elif response.status == 401: +self.get_auth_info(
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ I should have addressed all comments. I did not comment on krb5_principal_compare() because I think that is obvious and the function definition also does not define an errcheck argument for it so it should be clear enough. """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289060068 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][synchronized] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Author: simo5 Title: #649: Session cookie storage and handling fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/649/head:pr649 git checkout pr649 From 9fd0b4ce68daac2edbc38ccc743d4b7c1fafdf9d Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Wed, 22 Mar 2017 18:25:38 -0400 Subject: [PATCH 1/4] Avoid growing FILE ccaches unnecessarily Related https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipapython/session_storage.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py index bcf0947..f208827 100644 --- a/ipapython/session_storage.py +++ b/ipapython/session_storage.py @@ -111,6 +111,12 @@ def store_data(princ_name, key, value): if not isinstance(value, bytes): value = value.encode('utf-8') +# FILE ccaches grow every time an entry is stored, so we need +# to avoid storing the same entry multiple times. +oldvalue = get_data(princ_name, key) +if oldvalue == value: +return + context = krb5_context() principal = krb5_principal() ccache = krb5_ccache() From 7653192d67de8d6b19259ece49f6c1d31f788665 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Wed, 22 Mar 2017 18:38:22 -0400 Subject: [PATCH 2/4] Handle failed authentication via cookie If cookie authentication fails and we get back a 401 see if we tried a SPNEGO auth by checking if we had a GSSAPI context. If not it means our session cookie was invalid or expired or some other error happened on the server that requires us to try a full SPNEGO handshake, so go ahead and try it. Fixes https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipalib/rpc.py | 52 1 file changed, 32 insertions(+), 20 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 303b22a..f597ce0 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -586,22 +586,33 @@ def _handle_exception(self, e, service=None): else: raise errors.KerberosError(message=unicode(e)) -def get_host_info(self, host): +def _get_host(self): +return self._connection[0] + +def _remove_extra_header(self, name): +for (h, v) in self._extra_headers: +if h == name: +self._extra_headers.remove((h, v)) +break + +def get_auth_info(self, use_cookie=True): """ Two things can happen here. If we have a session we will add a cookie for that. If not we will set an Authorization header. """ -(host, extra_headers, x509) = SSLTransport.get_host_info(self, host) - -if not isinstance(extra_headers, list): -extra_headers = [] +if not isinstance(self._extra_headers, list): +self._extra_headers = [] -session_cookie = getattr(context, 'session_cookie', None) -if session_cookie: -extra_headers.append(('Cookie', session_cookie)) -return (host, extra_headers, x509) +# Remove any existing Cookie first +self._remove_extra_header('Cookie') +if use_cookie: +session_cookie = getattr(context, 'session_cookie', None) +if session_cookie: +self._extra_headers.append(('Cookie', session_cookie)) +return # Set the remote host principal +host = self._get_host() service = self.service + "@" + host.split(':')[0] try: @@ -616,18 +627,14 @@ def get_host_info(self, host): except gssapi.exceptions.GSSError as e: self._handle_exception(e, service=service) -self._set_auth_header(extra_headers, response) - -return (host, extra_headers, x509) +self._set_auth_header(response) -def _set_auth_header(self, extra_headers, token): -for (h, v) in extra_headers: -if h == 'Authorization': -extra_headers.remove((h, v)) -break +def _set_auth_header(self, token): +# Remove any existing authorization header first +self._remove_extra_header('Authorization') if token: -extra_headers.append( +self._extra_headers.append( ('Authorization', 'negotiate %s' % base64.b64encode(token).decode('ascii')) ) @@ -651,18 +658,23 @@ def _auth_complete(self, response): if self._sec_context.complete: self._sec_context = None return True -self._set_auth_header(self._extra_headers, token) +self._set_auth_header(token) +return False +elif response.status == 401: +self.get_auth_info(
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ Thank you @tiran @abbra all very good comments, I'll address soon all of them """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-289014748 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ I aded a 4th patch to address the FILE ccache growth issue. It is a bit unorthodox but it works. Please review carefully and let me know if you are ok with this """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-21336 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][synchronized] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Author: simo5 Title: #649: Session cookie storage and handling fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/649/head:pr649 git checkout pr649 From 9fd0b4ce68daac2edbc38ccc743d4b7c1fafdf9d Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Wed, 22 Mar 2017 18:25:38 -0400 Subject: [PATCH 1/4] Avoid growing FILE ccaches unnecessarily Related https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipapython/session_storage.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py index bcf0947..f208827 100644 --- a/ipapython/session_storage.py +++ b/ipapython/session_storage.py @@ -111,6 +111,12 @@ def store_data(princ_name, key, value): if not isinstance(value, bytes): value = value.encode('utf-8') +# FILE ccaches grow every time an entry is stored, so we need +# to avoid storing the same entry multiple times. +oldvalue = get_data(princ_name, key) +if oldvalue == value: +return + context = krb5_context() principal = krb5_principal() ccache = krb5_ccache() From 7653192d67de8d6b19259ece49f6c1d31f788665 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Wed, 22 Mar 2017 18:38:22 -0400 Subject: [PATCH 2/4] Handle failed authentication via cookie If cookie authentication fails and we get back a 401 see if we tried a SPNEGO auth by checking if we had a GSSAPI context. If not it means our session cookie was invalid or expired or some other error happened on the server that requires us to try a full SPNEGO handshake, so go ahead and try it. Fixes https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipalib/rpc.py | 52 1 file changed, 32 insertions(+), 20 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 303b22a..f597ce0 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -586,22 +586,33 @@ def _handle_exception(self, e, service=None): else: raise errors.KerberosError(message=unicode(e)) -def get_host_info(self, host): +def _get_host(self): +return self._connection[0] + +def _remove_extra_header(self, name): +for (h, v) in self._extra_headers: +if h == name: +self._extra_headers.remove((h, v)) +break + +def get_auth_info(self, use_cookie=True): """ Two things can happen here. If we have a session we will add a cookie for that. If not we will set an Authorization header. """ -(host, extra_headers, x509) = SSLTransport.get_host_info(self, host) - -if not isinstance(extra_headers, list): -extra_headers = [] +if not isinstance(self._extra_headers, list): +self._extra_headers = [] -session_cookie = getattr(context, 'session_cookie', None) -if session_cookie: -extra_headers.append(('Cookie', session_cookie)) -return (host, extra_headers, x509) +# Remove any existing Cookie first +self._remove_extra_header('Cookie') +if use_cookie: +session_cookie = getattr(context, 'session_cookie', None) +if session_cookie: +self._extra_headers.append(('Cookie', session_cookie)) +return # Set the remote host principal +host = self._get_host() service = self.service + "@" + host.split(':')[0] try: @@ -616,18 +627,14 @@ def get_host_info(self, host): except gssapi.exceptions.GSSError as e: self._handle_exception(e, service=service) -self._set_auth_header(extra_headers, response) - -return (host, extra_headers, x509) +self._set_auth_header(response) -def _set_auth_header(self, extra_headers, token): -for (h, v) in extra_headers: -if h == 'Authorization': -extra_headers.remove((h, v)) -break +def _set_auth_header(self, token): +# Remove any existing authorization header first +self._remove_extra_header('Authorization') if token: -extra_headers.append( +self._extra_headers.append( ('Authorization', 'negotiate %s' % base64.b64encode(token).decode('ascii')) ) @@ -651,18 +658,23 @@ def _auth_complete(self, response): if self._sec_context.complete: self._sec_context = None return True -self._set_auth_header(self._extra_headers, token) +self._set_auth_header(token) +return False +elif response.status == 401: +self.get_auth_info(
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ The FILE ccache is still growing because we keep getting updated cookies (where the only thing that changes is the expiration date. """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-288859035 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#638][comment] ipalib/rpc.py: Fix session handling for KEYRING: ccaches
URL: https://github.com/freeipa/freeipa/pull/638 Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches simo5 commented: """ This PR has been obsoleted by #649 """ See the full comment at https://github.com/freeipa/freeipa/pull/638#issuecomment-288850585 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#638][closed] ipalib/rpc.py: Fix session handling for KEYRING: ccaches
URL: https://github.com/freeipa/freeipa/pull/638 Author: abbra Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/638/head:pr638 git checkout pr638 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes simo5 commented: """ Note I am still running tests, but I think the patchset is good for review already. """ See the full comment at https://github.com/freeipa/freeipa/pull/649#issuecomment-288850417 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#649][opened] Session cookie storage and handling fixes
URL: https://github.com/freeipa/freeipa/pull/649 Author: simo5 Title: #649: Session cookie storage and handling fixes Action: opened PR body: """ This patchset improves the behavior of the client in various ways. - Avoids unbounded growth of FILE ccaches - Fix regression with session cookies updates not being retrievable with FILE caches - Fix client authentication to better handle servers that may decide our cookie is not good anymore """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/649/head:pr649 git checkout pr649 From 9fd0b4ce68daac2edbc38ccc743d4b7c1fafdf9d Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Wed, 22 Mar 2017 18:25:38 -0400 Subject: [PATCH 1/3] Avoid growing FILE ccaches unnecessarily Related https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipapython/session_storage.py | 6 ++ 1 file changed, 6 insertions(+) diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py index bcf0947..f208827 100644 --- a/ipapython/session_storage.py +++ b/ipapython/session_storage.py @@ -111,6 +111,12 @@ def store_data(princ_name, key, value): if not isinstance(value, bytes): value = value.encode('utf-8') +# FILE ccaches grow every time an entry is stored, so we need +# to avoid storing the same entry multiple times. +oldvalue = get_data(princ_name, key) +if oldvalue == value: +return + context = krb5_context() principal = krb5_principal() ccache = krb5_ccache() From 7653192d67de8d6b19259ece49f6c1d31f788665 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Wed, 22 Mar 2017 18:38:22 -0400 Subject: [PATCH 2/3] Handle failed authentication via cookie If cookie authentication fails and we get back a 401 see if we tried a SPNEGO auth by checking if we had a GSSAPI context. If not it means our session cookie was invalid or expired or some other error happened on the server that requires us to try a full SPNEGO handshake, so go ahead and try it. Fixes https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipalib/rpc.py | 52 1 file changed, 32 insertions(+), 20 deletions(-) diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 303b22a..f597ce0 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -586,22 +586,33 @@ def _handle_exception(self, e, service=None): else: raise errors.KerberosError(message=unicode(e)) -def get_host_info(self, host): +def _get_host(self): +return self._connection[0] + +def _remove_extra_header(self, name): +for (h, v) in self._extra_headers: +if h == name: +self._extra_headers.remove((h, v)) +break + +def get_auth_info(self, use_cookie=True): """ Two things can happen here. If we have a session we will add a cookie for that. If not we will set an Authorization header. """ -(host, extra_headers, x509) = SSLTransport.get_host_info(self, host) - -if not isinstance(extra_headers, list): -extra_headers = [] +if not isinstance(self._extra_headers, list): +self._extra_headers = [] -session_cookie = getattr(context, 'session_cookie', None) -if session_cookie: -extra_headers.append(('Cookie', session_cookie)) -return (host, extra_headers, x509) +# Remove any existing Cookie first +self._remove_extra_header('Cookie') +if use_cookie: +session_cookie = getattr(context, 'session_cookie', None) +if session_cookie: +self._extra_headers.append(('Cookie', session_cookie)) +return # Set the remote host principal +host = self._get_host() service = self.service + "@" + host.split(':')[0] try: @@ -616,18 +627,14 @@ def get_host_info(self, host): except gssapi.exceptions.GSSError as e: self._handle_exception(e, service=service) -self._set_auth_header(extra_headers, response) - -return (host, extra_headers, x509) +self._set_auth_header(response) -def _set_auth_header(self, extra_headers, token): -for (h, v) in extra_headers: -if h == 'Authorization': -extra_headers.remove((h, v)) -break +def _set_auth_header(self, token): +# Remove any existing authorization header first +self._remove_extra_header('Authorization') if token: -extra_headers.append( +self._extra_headers.append( ('Authorization', 'negotiate %s' % base64.b64encode(token).decode('ascii')) ) @@ -651,18 +658,23 @@ def _au
[Freeipa-devel] [freeipa PR#638][comment] ipalib/rpc.py: Fix session handling for KEYRING: ccaches
URL: https://github.com/freeipa/freeipa/pull/638 Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches simo5 commented: """ One way to deal with this in the FILE case is to copy the ccache to a tmp file and then rename to the original one. There is a risk of racing and removing a new ticket, but it is low. Luckily this problem should be solved once we have KCM caches ... """ See the full comment at https://github.com/freeipa/freeipa/pull/638#issuecomment-288406237 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 2b309c896728f188959c022635ff131347e2f266 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6771 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching simo5 commented: """ @MartinBasti can we push this ? It makes a big difference in framework performance and load on the KDC """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-287024418 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From d2c6121af9b4b366d0ff954a59f9a4917c634fc8 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6656 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#594][+ack] Fix Python 3 pylint errors
URL: https://github.com/freeipa/freeipa/pull/594 Title: #594: Fix Python 3 pylint errors Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 9a89d1d279403190b3273cba25204a9e4af564c5 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6656 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#587][comment] Python 3: Fix session storage
URL: https://github.com/freeipa/freeipa/pull/587 Title: #587: Python 3: Fix session storage simo5 commented: """ Technically principal names could use any encoding ... but we make the assumption they are utf-8 in freeIPA, so this should be ok. """ See the full comment at https://github.com/freeipa/freeipa/pull/587#issuecomment-286518991 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#587][+ack] Python 3: Fix session storage
URL: https://github.com/freeipa/freeipa/pull/587 Title: #587: Python 3: Fix session storage Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#585][+ack] Remove allow_constrained_delegation from gssproxy.conf
URL: https://github.com/freeipa/freeipa/pull/585 Title: #585: Remove allow_constrained_delegation from gssproxy.conf Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#585][comment] Remove allow_constrained_delegation from gssproxy.conf
URL: https://github.com/freeipa/freeipa/pull/585 Title: #585: Remove allow_constrained_delegation from gssproxy.conf simo5 commented: """ Please change commit message to: The Apache process *must* not allowed to use constrained delegation to contact services because it is already allowed to impersonate users to itself. Allowing it to perform constrained delegation would let it impersonate any user against the LDAP service without authentication. """ See the full comment at https://github.com/freeipa/freeipa/pull/585#issuecomment-286486668 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#559][-ack] WebUI: Certificate login
URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#559][reopened] WebUI: Certificate login
URL: https://github.com/freeipa/freeipa/pull/559 Author: pvomacka Title: #559: WebUI: Certificate login Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/559/head:pr559 git checkout pr559 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login
URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login simo5 commented: """ You need to wait to get th gssproxy fix I've been developing today and set the minimum gssproxy version to the one with the fix once we get to publish it """ See the full comment at https://github.com/freeipa/freeipa/pull/559#issuecomment-286478736 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#559][comment] WebUI: Certificate login
URL: https://github.com/freeipa/freeipa/pull/559 Title: #559: WebUI: Certificate login simo5 commented: """ NACK NACK NACK Pleas revert the change to the gssproxy template, it undoes half the work done in privilege separation """ See the full comment at https://github.com/freeipa/freeipa/pull/559#issuecomment-286478501 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed simo5 commented: """ Sure no prob """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-286391140 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed simo5 commented: """ Can you figure out exactly why certmonger is doing this ? """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-286366985 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][synchronized] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Author: simo5 Title: #567: Configure KDC to use certs after they are deployed Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/567/head:pr567 git checkout pr567 From 5758f8aad74b043d3d2e9b76c92cc5fbd66b5976 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Thu, 9 Mar 2017 12:49:54 -0500 Subject: [PATCH] Configure KDC to use certs after they are deployed Certmonger needs to access the KDC when it tries to obtain certs, so make sure the KDC can run, then reconfigure it to use pkinit anchors once certs are deployed. Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/kdc.conf.template | 4 ++-- ipaserver/install/krbinstance.py | 28 +++- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index ec53a1f..c9d5c28 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_CERT,$KDC_KEY - pkinit_anchors = FILE:$CACERT_PEM +$NOPK pkinit_identity = FILE:$KDC_CERT,$KDC_KEY +$NOPK pkinit_anchors = FILE:$CACERT_PEM } diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 79803ca..b92c436 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -68,6 +68,7 @@ def __init__(self, fstore=None): self.kdc_password = None self.sub_dict = None self.pkcs12_info = None +self.config_pkinit = None suffix = ipautil.dn_attribute_property('_suffix') subject_base = ipautil.dn_attribute_property('_subject_base') @@ -140,12 +141,16 @@ def __common_setup(self, realm_name, host_name, domain_name, admin_password): def __common_post_setup(self): self.step("starting the KDC", self.__start_instance) +if self.config_pkinit: +self.step("installing X509 Certificate for PKINIT", + self.setup_pkinit) self.step("configuring KDC to start on boot", self.__enable) def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, subject_base=None): self.master_password = master_password self.pkcs12_info = pkcs12_info self.subject_base = subject_base +self.config_pkinit = setup_pkinit self.__common_setup(realm_name, host_name, domain_name, admin_password) @@ -160,10 +165,6 @@ def create_instance(self, realm_name, host_name, domain_name, admin_password, ma self.__common_post_setup() -if setup_pkinit: -self.step("installing X509 Certificate for PKINIT", - self.setup_pkinit) - self.start_creation(runtime=30) self.kpasswd = KpasswdInstance() @@ -178,14 +179,12 @@ def create_replica(self, realm_name, self.pkcs12_info = pkcs12_info self.subject_base = subject_base self.master_fqdn = master_fqdn +self.config_pkinit = setup_pkinit self.__common_setup(realm_name, host_name, domain_name, admin_password) self.step("configuring KDC", self.__configure_instance) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) -if setup_pkinit: -self.step("installing X509 Certificate for PKINIT", - self.setup_pkinit) self.__common_post_setup() @@ -220,6 +219,7 @@ def __setup_sub_dict(self): KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL, DICT_WORDS=paths.DICT_WORDS, KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB, + NOPK=';', KDC_CERT=paths.KDC_CERT, KDC_KEY=paths.KDC_KEY, CACERT_PEM=paths.CACERT_PEM) @@ -255,11 +255,12 @@ def __add_krb_container(self): def __add_default_acis(self): self._ldap_mod("default-aci.ldif", self.sub_dict) -def __template_file(self, path, chmod=0o644): +def __template_file(self, path, chmod=0o644, backup=True): template = os.path.join(paths.USR_SHARE_IPA_DIR, os.path.basename(path) + ".template") conf = ipautil.template_file(template, self.sub_dict) -self.fstore.backup_file(path) +if backup: +self.fstore.backup_file(path) fd = open(path, "w+") fd.write(conf) fd.close() @@ -377,6 +378,15 @@ def setup_pkinit(self): # have any selinux i
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed simo5 commented: """ Should have addressed all concerns in this push """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-285660566 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#511][comment] Bump required version of gssproxy to 0.6.2
URL: https://github.com/freeipa/freeipa/pull/511 Title: #511: Bump required version of gssproxy to 0.6.2 simo5 commented: """ Can you prepare patch for spec file that requires gssproxy >= 0.7.0 and mod_auth_gssapi >= 1.5.0 ? """ See the full comment at https://github.com/freeipa/freeipa/pull/511#issuecomment-285507599 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#564][comment] Reconfigure Kerberos library config as the last step of KDC install
URL: https://github.com/freeipa/freeipa/pull/564 Title: #564: Reconfigure Kerberos library config as the last step of KDC install simo5 commented: """ @martbab @abbra see the pull request in #567 """ See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-285493983 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][comment] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Title: #567: Configure KDC to use certs after they are deployed simo5 commented: """ Still testing but this should be the way to go to fix the bug reported in #564 """ See the full comment at https://github.com/freeipa/freeipa/pull/567#issuecomment-285493679 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#567][opened] Configure KDC to use certs after they are deployed
URL: https://github.com/freeipa/freeipa/pull/567 Author: simo5 Title: #567: Configure KDC to use certs after they are deployed Action: opened PR body: """ Certmonger needs to access the KDC when it tries to obtain certs, so make sure the KDC can run, then reconfigure it to use pkinit anchors once certs are deployed. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/567/head:pr567 git checkout pr567 From d9fb5cb52b9450f6ac514b75ec4b74ec3d30affa Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Thu, 9 Mar 2017 12:49:54 -0500 Subject: [PATCH] Configure KDC to use certs after they are deployed Certmonger needs to access the KDC when it tries to obtain certs, so make sure the KDC can run, then reconfigure it to use pkinit anchors once certs are deployed. Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/kdc.conf.template | 4 ++-- ipaserver/install/krbinstance.py | 19 --- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index ec53a1f..c9d5c28 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_CERT,$KDC_KEY - pkinit_anchors = FILE:$CACERT_PEM +$NOPK pkinit_identity = FILE:$KDC_CERT,$KDC_KEY +$NOPK pkinit_anchors = FILE:$CACERT_PEM } diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 79803ca..04246de 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -139,7 +139,6 @@ def __common_setup(self, realm_name, host_name, domain_name, admin_password): pass def __common_post_setup(self): -self.step("starting the KDC", self.__start_instance) self.step("configuring KDC to start on boot", self.__enable) def create_instance(self, realm_name, host_name, domain_name, admin_password, master_password, setup_pkinit=False, pkcs12_info=None, subject_base=None): @@ -157,6 +156,7 @@ def create_instance(self, realm_name, host_name, domain_name, admin_password, ma self.step("creating a keytab for the machine", self.__create_host_keytab) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) self.step("creating anonymous principal", self.add_anonymous_principal) +self.step("starting the KDC", self.__start_instance) self.__common_post_setup() @@ -183,6 +183,8 @@ def create_replica(self, realm_name, self.step("configuring KDC", self.__configure_instance) self.step("adding the password extension to the directory", self.__add_pwd_extop_module) +self.step("starting the KDC", self.__start_instance) + if setup_pkinit: self.step("installing X509 Certificate for PKINIT", self.setup_pkinit) @@ -220,6 +222,7 @@ def __setup_sub_dict(self): KRB5KDC_KADM5_ACL=paths.KRB5KDC_KADM5_ACL, DICT_WORDS=paths.DICT_WORDS, KRB5KDC_KADM5_KEYTAB=paths.KRB5KDC_KADM5_KEYTAB, + NOPK=';', KDC_CERT=paths.KDC_CERT, KDC_KEY=paths.KDC_KEY, CACERT_PEM=paths.CACERT_PEM) @@ -255,11 +258,12 @@ def __add_krb_container(self): def __add_default_acis(self): self._ldap_mod("default-aci.ldif", self.sub_dict) -def __template_file(self, path, chmod=0o644): +def __template_file(self, path, chmod=0o644, backup=True): template = os.path.join(paths.USR_SHARE_IPA_DIR, os.path.basename(path) + ".template") conf = ipautil.template_file(template, self.sub_dict) -self.fstore.backup_file(path) +if backup: +self.fstore.backup_file(path) fd = open(path, "w+") fd.write(conf) fd.close() @@ -377,6 +381,15 @@ def setup_pkinit(self): # have any selinux issues with the file context shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM) +# Now modify configuration to add pkinit anchors and restart KDC +self.sub_dict['NOPK'] = '' +self.__template_file(paths.KRB5KDC_KDC_CONF, chmod=None, backup=False) +try: +self.stop() +self.start() +except Exception: +root_logger.critical("krb5kdc service failed to restart") + def get_anonymous_principal_name(self): return "%s@%s" % (ANON_USER, self.realm) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#564][comment] Reconfigure Kerberos library config as the last step of KDC install
URL: https://github.com/freeipa/freeipa/pull/564 Title: #564: Reconfigure Kerberos library config as the last step of KDC install simo5 commented: """ I do not think this is the correct fix/bug What we want to do is to change kdc.conf to require certs only after we have installed them. The KDC is already properly configured and running otherwise but fails to start on replica because certs are not there. We need it to not fail, not to allow certmonger to go oevr the network to other servers """ See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-285422563 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option simo5 commented: """ Oops sorry, forgot to run make pylint on my last iteration, should be all fixed now """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-285356420 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#546][synchronized] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546 Author: simo5 Title: #546: Store session cookie in a ccache option Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/546/head:pr546 git checkout pr546 From c1ae93acad645c7725041cc10bf14b10fb94533c Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 18:47:56 -0500 Subject: [PATCH] Store session cookie in a ccache option Instead of using the kernel keyring, store the session cookie within the ccache. This way kdestroy will really wipe away all credentials. Ticket: https://pagure.io/freeipa/issue/6661 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipalib/rpc.py | 27 +--- ipapython/session_storage.py| 197 ipatests/test_ipapython/test_session_storage.py | 37 + 3 files changed, 239 insertions(+), 22 deletions(-) create mode 100644 ipapython/session_storage.py create mode 100644 ipatests/test_ipapython/test_session_storage.py diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 8d1bba5..3a589cb 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -56,7 +56,7 @@ from ipalib.request import context, Connection from ipapython.ipa_log_manager import root_logger from ipapython import ipautil -from ipapython import kernel_keyring +from ipapython import session_storage from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ @@ -84,19 +84,11 @@ unicode = str COOKIE_NAME = 'ipa_session' -KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME +CCACHE_COOKIE_KEY = 'X-IPA-Session-Cookie' errors_by_code = dict((e.errno, e) for e in public_errors) -def client_session_keyring_keyname(principal): -''' -Return the key name used for storing the client session data for -the given principal. -''' - -return KEYRING_COOKIE_NAME % principal - def update_persistent_client_session_data(principal, data): ''' Given a principal create or update the session data for that @@ -106,13 +98,10 @@ def update_persistent_client_session_data(principal, data): ''' try: -keyname = client_session_keyring_keyname(principal) +session_storage.store_data(principal, CCACHE_COOKIE_KEY, data) except Exception as e: raise ValueError(str(e)) -# kernel_keyring only raises ValueError (why??) -kernel_keyring.update_key(keyname, data) - def read_persistent_client_session_data(principal): ''' Given a principal return the stored session data for that @@ -122,13 +111,10 @@ def read_persistent_client_session_data(principal): ''' try: -keyname = client_session_keyring_keyname(principal) +return session_storage.get_data(principal, CCACHE_COOKIE_KEY) except Exception as e: raise ValueError(str(e)) -# kernel_keyring only raises ValueError (why??) -return kernel_keyring.read_key(keyname) - def delete_persistent_client_session_data(principal): ''' Given a principal remove the session data for that @@ -138,13 +124,10 @@ def delete_persistent_client_session_data(principal): ''' try: -keyname = client_session_keyring_keyname(principal) +session_storage.remove_data(principal, CCACHE_COOKIE_KEY) except Exception as e: raise ValueError(str(e)) -# kernel_keyring only raises ValueError (why??) -kernel_keyring.del_key(keyname) - def xml_wrap(value, version): """ Wrap all ``str`` in ``xmlrpc.client.Binary``. diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py new file mode 100644 index 000..7fe17fb --- /dev/null +++ b/ipapython/session_storage.py @@ -0,0 +1,197 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +import ctypes + + +KRB5_CC_NOSUPP = -1765328137 + + +try: +LIBKRB5 = ctypes.CDLL('libkrb5.so.3') +except OSError as e: # pragma: no cover +raise ImportError(str(e)) + + +class _krb5_context(ctypes.Structure): # noqa +"""krb5/krb5.h struct _krb5_context""" +_fields_ = [] + + +class _krb5_ccache(ctypes.Structure): # noqa +"""krb5/krb5.h struct _krb5_ccache""" +_fields_ = [] + + +class _krb5_data(ctypes.Structure): # noqa +"""krb5/krb5.h struct _krb5_data""" +_fields_ = [ +("magic", ctypes.c_int32), +("length", ctypes.c_uint), +("data", ctypes.c_char_p), +] + + +class krb5_principal_data(ctypes.Structure): # noqa +"""krb5/krb5.h struct krb5_principal_data""" +_fields_ = [] + + +class KRB5Error(Exception): +pass + + +def krb5_errcheck(result, func, arguments): +"""Error checker for krb5_error return value""" +i
[Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option simo5 commented: """ Ok I decide to do away with the whole class stuff, given we never really keep a round the class object for more than one operation at a time in actual use. As @rcritten requested I also added a test, and I am glad it was asked as I found a failure case we need to handle (see the exception handling in remove_data() """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-285339682 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#546][synchronized] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546 Author: simo5 Title: #546: Store session cookie in a ccache option Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/546/head:pr546 git checkout pr546 From 136f5b4bb40fc4869a91518ff181cc449b2d43d7 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 18:47:56 -0500 Subject: [PATCH] Store session cookie in a ccache option Instead of using the kernel keyring, store the session cookie within the ccache. This way kdestroy will really wipe away all credentials. Ticket: https://pagure.io/freeipa/issue/6661 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipalib/rpc.py | 27 +--- ipapython/session_storage.py| 197 ipatests/test_ipapython/test_session_storage.py | 40 + 3 files changed, 242 insertions(+), 22 deletions(-) create mode 100644 ipapython/session_storage.py create mode 100644 ipatests/test_ipapython/test_session_storage.py diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 8d1bba5..2b545b2 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -56,7 +56,7 @@ from ipalib.request import context, Connection from ipapython.ipa_log_manager import root_logger from ipapython import ipautil -from ipapython import kernel_keyring +from ipapython import session_storage from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ @@ -84,19 +84,11 @@ unicode = str COOKIE_NAME = 'ipa_session' -KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME +CCACHE_COOKIE_KEY = 'X-IPA-Session-Cookie' errors_by_code = dict((e.errno, e) for e in public_errors) -def client_session_keyring_keyname(principal): -''' -Return the key name used for storing the client session data for -the given principal. -''' - -return KEYRING_COOKIE_NAME % principal - def update_persistent_client_session_data(principal, data): ''' Given a principal create or update the session data for that @@ -106,13 +98,10 @@ def update_persistent_client_session_data(principal, data): ''' try: -keyname = client_session_keyring_keyname(principal) +session_storage.store_data(principal, CCACHE_COOKIE_KEY, data) except Exception as e: raise ValueError(str(e)) -# kernel_keyring only raises ValueError (why??) -kernel_keyring.update_key(keyname, data) - def read_persistent_client_session_data(principal): ''' Given a principal return the stored session data for that @@ -122,13 +111,10 @@ def read_persistent_client_session_data(principal): ''' try: -keyname = client_session_keyring_keyname(principal) +return session_storage.store_data(principal, CCACHE_COOKIE_KEY) except Exception as e: raise ValueError(str(e)) -# kernel_keyring only raises ValueError (why??) -return kernel_keyring.read_key(keyname) - def delete_persistent_client_session_data(principal): ''' Given a principal remove the session data for that @@ -138,13 +124,10 @@ def delete_persistent_client_session_data(principal): ''' try: -keyname = client_session_keyring_keyname(principal) +session_storage.remove_data(principal, CCACHE_COOKIE_KEY) except Exception as e: raise ValueError(str(e)) -# kernel_keyring only raises ValueError (why??) -kernel_keyring.del_key(keyname) - def xml_wrap(value, version): """ Wrap all ``str`` in ``xmlrpc.client.Binary``. diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py new file mode 100644 index 000..d2a01fc --- /dev/null +++ b/ipapython/session_storage.py @@ -0,0 +1,197 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +import ctypes + + +KRB5_CC_NOSUPP = -1765328137 + + +try: +LIBKRB5 = ctypes.CDLL('libkrb5.so.3') +except OSError as e: # pragma: no cover +raise ImportError(str(e)) + + +class _krb5_context(ctypes.Structure): # noqa +"""krb5/krb5.h struct _krb5_context""" +_fields_ = [] + + +class _krb5_ccache(ctypes.Structure): # noqa +"""krb5/krb5.h struct _krb5_ccache""" +_fields_ = [] + + +class _krb5_data(ctypes.Structure): # noqa +"""krb5/krb5.h struct _krb5_data""" +_fields_ = [ +("magic", ctypes.c_int32), +("length", ctypes.c_uint), +("data", ctypes.c_char_p), +] + + +class krb5_principal_data(ctypes.Structure): # noqa +"""krb5/krb5.h struct krb5_principal_data""" +_fields_ = [] + + +class KRB5Error(Exception): +pass + + +def krb5_errcheck(result, func, arguments): +"""Error checker for krb5_error return value""" +i
[Freeipa-devel] [freeipa PR#546][synchronized] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546 Author: simo5 Title: #546: Store session cookie in a ccache option Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/546/head:pr546 git checkout pr546 From 77ba575a4400e3e27eb8278e8d9161e8ae33d0d4 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 18:47:56 -0500 Subject: [PATCH] Store session cookie in a ccache option Instead of using the kernel keyring, store the session cookie within the ccache. This way kdestroy will really wipe away all credentials. Ticket: https://pagure.io/freeipa/issue/6661 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipalib/rpc.py| 30 ++- ipapython/session_storage.py | 193 +++ 2 files changed, 201 insertions(+), 22 deletions(-) create mode 100644 ipapython/session_storage.py diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 8d1bba5..cf7765c 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -56,7 +56,7 @@ from ipalib.request import context, Connection from ipapython.ipa_log_manager import root_logger from ipapython import ipautil -from ipapython import kernel_keyring +from ipapython import session_storage from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ @@ -84,19 +84,11 @@ unicode = str COOKIE_NAME = 'ipa_session' -KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME +CCACHE_COOKIE_KEY_NAME = 'X-IPA-Session-Cookie' errors_by_code = dict((e.errno, e) for e in public_errors) -def client_session_keyring_keyname(principal): -''' -Return the key name used for storing the client session data for -the given principal. -''' - -return KEYRING_COOKIE_NAME % principal - def update_persistent_client_session_data(principal, data): ''' Given a principal create or update the session data for that @@ -106,13 +98,11 @@ def update_persistent_client_session_data(principal, data): ''' try: -keyname = client_session_keyring_keyname(principal) +s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME) +s.store_data(principal, data) except Exception as e: raise ValueError(str(e)) -# kernel_keyring only raises ValueError (why??) -kernel_keyring.update_key(keyname, data) - def read_persistent_client_session_data(principal): ''' Given a principal return the stored session data for that @@ -122,13 +112,11 @@ def read_persistent_client_session_data(principal): ''' try: -keyname = client_session_keyring_keyname(principal) +s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME) +return s.get_data(principal) except Exception as e: raise ValueError(str(e)) -# kernel_keyring only raises ValueError (why??) -return kernel_keyring.read_key(keyname) - def delete_persistent_client_session_data(principal): ''' Given a principal remove the session data for that @@ -138,13 +126,11 @@ def delete_persistent_client_session_data(principal): ''' try: -keyname = client_session_keyring_keyname(principal) +s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME) +s.remove_data(principal) except Exception as e: raise ValueError(str(e)) -# kernel_keyring only raises ValueError (why??) -kernel_keyring.del_key(keyname) - def xml_wrap(value, version): """ Wrap all ``str`` in ``xmlrpc.client.Binary``. diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py new file mode 100644 index 000..b997c80 --- /dev/null +++ b/ipapython/session_storage.py @@ -0,0 +1,193 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +import ctypes + + +try: +LIBKRB5 = ctypes.CDLL('libkrb5.so.3') +except OSError as e: # pragma: no cover +raise ImportError(str(e)) + + +class _krb5_context(ctypes.Structure): # noqa +"""krb5/krb5.h struct _krb5_context""" +_fields_ = [] + + +class _krb5_ccache(ctypes.Structure): # noqa +"""krb5/krb5.h struct _krb5_ccache""" +_fields_ = [] + + +class _krb5_data(ctypes.Structure): # noqa +"""krb5/krb5.h struct _krb5_data""" +_fields_ = [ +("magic", ctypes.c_int32), +("length", ctypes.c_uint), +("data", ctypes.c_char_p), +] + + +class krb5_principal_data(ctypes.Structure): # noqa +"""krb5/krb5.h struct krb5_principal_data""" +_fields_ = [] + + +class KRB5Error(Exception): +pass + + +def krb5_errcheck(result, func, arguments): +"""Error checker for krb5_error return value""" +if result != 0: +raise KRB5Error(result, func.__name__, argum
[Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option simo5 commented: """ I also renamed the module and the class, makes more sense to me this way around. """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-284775755 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option simo5 commented: """ Ok removed a bunch of code and made sure pylint passes. """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-284775623 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#546][synchronized] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546 Author: simo5 Title: #546: Store session cookie in a ccache option Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/546/head:pr546 git checkout pr546 From 1a90c205283f9c061753ed1d8ab33a0e4f2ac06e Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 18:47:56 -0500 Subject: [PATCH] Store session cookie in a ccache option Instead of using the kernel keyring, store the session cookie within the ccache. This way kdestroy will really wipe away all credentials. Ticket: https://pagure.io/freeipa/issue/6661 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipalib/rpc.py| 30 ++- ipapython/session_storage.py | 186 +++ 2 files changed, 194 insertions(+), 22 deletions(-) create mode 100644 ipapython/session_storage.py diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 8d1bba5..cf7765c 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -56,7 +56,7 @@ from ipalib.request import context, Connection from ipapython.ipa_log_manager import root_logger from ipapython import ipautil -from ipapython import kernel_keyring +from ipapython import session_storage from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ @@ -84,19 +84,11 @@ unicode = str COOKIE_NAME = 'ipa_session' -KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME +CCACHE_COOKIE_KEY_NAME = 'X-IPA-Session-Cookie' errors_by_code = dict((e.errno, e) for e in public_errors) -def client_session_keyring_keyname(principal): -''' -Return the key name used for storing the client session data for -the given principal. -''' - -return KEYRING_COOKIE_NAME % principal - def update_persistent_client_session_data(principal, data): ''' Given a principal create or update the session data for that @@ -106,13 +98,11 @@ def update_persistent_client_session_data(principal, data): ''' try: -keyname = client_session_keyring_keyname(principal) +s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME) +s.store_data(principal, data) except Exception as e: raise ValueError(str(e)) -# kernel_keyring only raises ValueError (why??) -kernel_keyring.update_key(keyname, data) - def read_persistent_client_session_data(principal): ''' Given a principal return the stored session data for that @@ -122,13 +112,11 @@ def read_persistent_client_session_data(principal): ''' try: -keyname = client_session_keyring_keyname(principal) +s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME) +return s.get_data(principal) except Exception as e: raise ValueError(str(e)) -# kernel_keyring only raises ValueError (why??) -return kernel_keyring.read_key(keyname) - def delete_persistent_client_session_data(principal): ''' Given a principal remove the session data for that @@ -138,13 +126,11 @@ def delete_persistent_client_session_data(principal): ''' try: -keyname = client_session_keyring_keyname(principal) +s = session_storage.ccache_store(CCACHE_COOKIE_KEY_NAME) +s.remove_data(principal) except Exception as e: raise ValueError(str(e)) -# kernel_keyring only raises ValueError (why??) -kernel_keyring.del_key(keyname) - def xml_wrap(value, version): """ Wrap all ``str`` in ``xmlrpc.client.Binary``. diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py new file mode 100644 index 000..10359e1 --- /dev/null +++ b/ipapython/session_storage.py @@ -0,0 +1,186 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +import ctypes + + +class KRB5Error(Exception): +pass + + +try: +LIBKRB5 = ctypes.CDLL('libkrb5.so.3') +except OSError as e: # pragma: no cover +raise ImportError(str(e)) + +class _krb5_context(ctypes.Structure): # noqa +"""krb5/krb5.h struct _krb5_context""" +_fields_ = [] + +class _krb5_ccache(ctypes.Structure): # noqa +"""krb5/krb5.h struct _krb5_ccache""" +_fields_ = [] + +class _krb5_data(ctypes.Structure): # noqa +"""krb5/krb5.h struct _krb5_data""" +_fields_ = [ +("magic", ctypes.c_int32), +("length", ctypes.c_uint), +("data", ctypes.c_char_p), +] + +class krb5_principal_data(ctypes.Structure): # noqa +"""krb5/krb5.h struct krb5_principal_data""" +_fields_ = [] + +def krb5_errcheck(result, func, arguments): +"""Error checker for krb5_error return value""" +if result != 0: +raise KRB5Error(result, func.__name__, arguments) + +krb5_p
[Freeipa-devel] [freeipa PR#546][comment] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546 Title: #546: Store session cookie in a ccache option simo5 commented: """ @rcritten the keyring stuff is still used for detection of keyring in other places, so I did not touch it as those uses are still vaild """ See the full comment at https://github.com/freeipa/freeipa/pull/546#issuecomment-284767193 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching simo5 commented: """ Yes, I think we should add a new PR later once we release gssproxy 0.7 """ See the full comment at https://github.com/freeipa/freeipa/pull/543#issuecomment-284743273 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#547][comment] Use GSS-SPNEGO if connecting locally
URL: https://github.com/freeipa/freeipa/pull/547 Title: #547: Use GSS-SPNEGO if connecting locally simo5 commented: """ We actually do not need to put a strong require, this patch will work regardless, but won't provide any performance advantage on older versions. You will add a stronger require when the GC work is done, so we can defer to that point to add it. """ See the full comment at https://github.com/freeipa/freeipa/pull/547#issuecomment-284743086 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#533][comment] WebUI: Change structure of Identity submenu
URL: https://github.com/freeipa/freeipa/pull/533 Title: #533: WebUI: Change structure of Identity submenu simo5 commented: """ I do not have enough insights on the .js side to say this is all correct, but having seen the mockups I want to give an ack from my side here. """ See the full comment at https://github.com/freeipa/freeipa/pull/533#issuecomment-284739181 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#547][synchronized] Use GSS-SPNEGO if connecting locally
URL: https://github.com/freeipa/freeipa/pull/547 Author: simo5 Title: #547: Use GSS-SPNEGO if connecting locally Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/547/head:pr547 git checkout pr547 From 431a21bace9d6e071c9f0bd7cfbc27d7748164bc Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 14:19:30 -0500 Subject: [PATCH] Use GSS-SPNEGO if connecting locally GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips therefore use it when possible. We only enable it for local connections for now because we only recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This change means a newer and an older version are not compatible. Restricting ourselves to the local host prevents issues with incompatible services, and it is ok for us as we are only really looking for speedups for the local short-lived connections performed by the framework. Most other clients have longer lived connections, so peformance improvements there are not as important. Ticket: https://pagure.io/freeipa/issue/6656 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipapython/ipaldap.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py index 82d45b9..b158598 100644 --- a/ipapython/ipaldap.py +++ b/ipapython/ipaldap.py @@ -52,6 +52,7 @@ # Global variable to define SASL auth SASL_GSSAPI = ldap.sasl.sasl({}, 'GSSAPI') +SASL_GSS_SPNEGO = ldap.sasl.sasl({}, 'GSS-SPNEGO') _debug_log_ldap = False @@ -1112,7 +1113,10 @@ def gssapi_bind(self, server_controls=None, client_controls=None): Perform SASL bind operation using the SASL GSSAPI mechanism. """ with self.error_handler(): -auth_tokens = ldap.sasl.sasl({}, 'GSSAPI') +if self._protocol == 'ldapi': +auth_tokens = SASL_GSS_SPNEGO +else: +auth_tokens = SASL_GSSAPI self._flush_schema() self.conn.sasl_interactive_bind_s( '', auth_tokens, server_controls, client_controls) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 4c13d3360b28da66cf1fe54e7fb1c022f24e4c2e Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6656 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#547][opened] Use GSS-SPNEGO if connecting locally
URL: https://github.com/freeipa/freeipa/pull/547 Author: simo5 Title: #547: Use GSS-SPNEGO if connecting locally Action: opened PR body: """ GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips therefore use it when possible. We only enable it for local connections for now because we only recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This change means a newer and an older version are not compatible. Restricting ourselves to the local host prevents issues with incompatible services, and it is ok for us as we are only really looking for speedups for the local short-lived connections performed by the framework. Most other clients have longer lived connections, so peformance improvements there are not as important. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/547/head:pr547 git checkout pr547 From 990f35d49602866724849f900e69079c5df6f86b Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 14:19:30 -0500 Subject: [PATCH] Use GSS-SPNEGO if connecting locally GSS-SPNEGO allows us to negotiate a SASL bind with less roundtrips therefore use it when possible. We only enable it for local connections for now because we only recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This change means a newer and an older version are not compatible. Restricting ourselves to the local host prevents issues with incompatible services, and it is ok for us as we are only really looking for speedups for the local short-lived connections performed by the framework. Most other clients have longer lived connections, so peformance improvements there are not as important. Signed-off-by: Simo Sorce <s...@redhat.com> --- ipapython/ipaldap.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py index 82d45b9..b158598 100644 --- a/ipapython/ipaldap.py +++ b/ipapython/ipaldap.py @@ -52,6 +52,7 @@ # Global variable to define SASL auth SASL_GSSAPI = ldap.sasl.sasl({}, 'GSSAPI') +SASL_GSS_SPNEGO = ldap.sasl.sasl({}, 'GSS-SPNEGO') _debug_log_ldap = False @@ -1112,7 +1113,10 @@ def gssapi_bind(self, server_controls=None, client_controls=None): Perform SASL bind operation using the SASL GSSAPI mechanism. """ with self.error_handler(): -auth_tokens = ldap.sasl.sasl({}, 'GSSAPI') +if self._protocol == 'ldapi': +auth_tokens = SASL_GSS_SPNEGO +else: +auth_tokens = SASL_GSSAPI self._flush_schema() self.conn.sasl_interactive_bind_s( '', auth_tokens, server_controls, client_controls) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#546][opened] Store session cookie in a ccache option
URL: https://github.com/freeipa/freeipa/pull/546 Author: simo5 Title: #546: Store session cookie in a ccache option Action: opened PR body: """ Instead of using the kernel keyring, store the session cookie within the ccache. This way kdestroy will really wipe away all crededntials. Ticket: https://pagure.io/freeipa/issue/6661 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/546/head:pr546 git checkout pr546 From 8aac1aee8c10810ef1e9590b23a982ed98585f09 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 18:47:56 -0500 Subject: [PATCH] Store session cookie in a ccache option Instead of using the kernel keyring, store the session cookie within the ccache. This way kdestroy will really wipe away all credentials. Ticket: https://pagure.io/freeipa/issue/6661 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipalib/rpc.py | 30 ++ ipapython/ccache_storage.py | 234 2 files changed, 242 insertions(+), 22 deletions(-) create mode 100644 ipapython/ccache_storage.py diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 8d1bba5..027a11f 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -56,7 +56,7 @@ from ipalib.request import context, Connection from ipapython.ipa_log_manager import root_logger from ipapython import ipautil -from ipapython import kernel_keyring +from ipapython import ccache_storage from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ @@ -84,19 +84,11 @@ unicode = str COOKIE_NAME = 'ipa_session' -KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME +CCACHE_COOKIE_KEY_NAME = 'X-IPA-Session-Cookie' errors_by_code = dict((e.errno, e) for e in public_errors) -def client_session_keyring_keyname(principal): -''' -Return the key name used for storing the client session data for -the given principal. -''' - -return KEYRING_COOKIE_NAME % principal - def update_persistent_client_session_data(principal, data): ''' Given a principal create or update the session data for that @@ -106,13 +98,11 @@ def update_persistent_client_session_data(principal, data): ''' try: -keyname = client_session_keyring_keyname(principal) +s = ccache_storage.session_store(CCACHE_COOKIE_KEY_NAME) +s.store_data(principal, data) except Exception as e: raise ValueError(str(e)) -# kernel_keyring only raises ValueError (why??) -kernel_keyring.update_key(keyname, data) - def read_persistent_client_session_data(principal): ''' Given a principal return the stored session data for that @@ -122,13 +112,11 @@ def read_persistent_client_session_data(principal): ''' try: -keyname = client_session_keyring_keyname(principal) +s = ccache_storage.session_store(CCACHE_COOKIE_KEY_NAME) +return s.get_data(principal) except Exception as e: raise ValueError(str(e)) -# kernel_keyring only raises ValueError (why??) -return kernel_keyring.read_key(keyname) - def delete_persistent_client_session_data(principal): ''' Given a principal remove the session data for that @@ -138,13 +126,11 @@ def delete_persistent_client_session_data(principal): ''' try: -keyname = client_session_keyring_keyname(principal) +s = ccache_storage.session_store(CCACHE_COOKIE_KEY_NAME) +s.remove_data(principal) except Exception as e: raise ValueError(str(e)) -# kernel_keyring only raises ValueError (why??) -kernel_keyring.del_key(keyname) - def xml_wrap(value, version): """ Wrap all ``str`` in ``xmlrpc.client.Binary``. diff --git a/ipapython/ccache_storage.py b/ipapython/ccache_storage.py new file mode 100644 index 000..2944b33 --- /dev/null +++ b/ipapython/ccache_storage.py @@ -0,0 +1,234 @@ +# +# Copyright (C) 2017 FreeIPA Contributors see COPYING for license +# + +import ctypes +import os +import sys + +import six + + +class KRB5Error(Exception): +pass + + +PY3 = sys.version_info[0] == 3 + + +try: +LIBKRB5 = ctypes.CDLL('libkrb5.so.3') +except OSError as e: # pragma: no cover +LIBKRB5 = e +else: +class c_text_p(ctypes.c_char_p): # noqa +"""A c_char_p variant that can handle UTF-8 text""" +@classmethod +def from_param(cls, value): +if value is None: +return None +if PY3 and isinstance(value, str): +return value.encode('utf-8') +elif not PY3 and isinstance(value, unicode): # noqa +return value.encode('utf-8') +elif not isinstance(value, bytes): +raise TypeError(value) +else: +return value + +@property +def text(self): +
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 513c118d741594bf6bab6302a4b24c23168c4c44 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 513c118d741594bf6bab6302a4b24c23168c4c44 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH 1/3] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER From 34553627ebd709dea371030b03607c9c167732b0 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 14:19:30 -0500 Subject: [PATCH 2/3] Use GSS-SPNEGO if connecting locally GSS-SPNEGO allows us to negotiate a sasl bind with less roundrtrips therefore use it when possible. We only enable it for local connections for now because we only recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This change means a newer and an older version are not compatible. Restricting ourselves to the local host prevents issues with incomaptible services, and it is ok for us as we are only really lloking at speedups for the local shortlived connections performed by the framework. Most other clients have llonger lived connections, so peformance improvements there are not as important. Signed-off-by: Simo Sorce <s...@redhat.com> --- ipapython/ipaldap.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py index 82d45b9..b158598 100644 --- a/ipapython/ipaldap.py +++ b/ipapython/ipaldap.py @@ -52,6 +52,7 @@ # Global variable to define SASL auth SASL_GSSAPI = ldap.sasl.sasl({}, 'GSSAPI') +SASL_GSS_SPNEGO = ldap.sasl.sasl({}, 'GSS-SPNEGO') _debug_log_ldap = False @@ -1112,7 +1113,10 @@ def gssapi_bind(self, server_controls=None, client_controls=None): Perform SASL bind operation using the SASL GSSAPI mechanism. """ with self.error_handler(): -auth_tokens = ldap.sasl.sasl({}, 'GSSAPI') +if self._protocol == 'ldapi': +auth_tokens = SASL_GSS_SPNEGO +else: +auth_tokens = SASL_GSSAPI self._flush_schema() self.conn.sasl_interactive_bind_s( '', auth_tokens, server_controls, client_controls) From 4a9b4a7769e36890f95d87053388579928088dd3 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 18:47:56 -0500 Subject: [PATCH 3/3] Store session cookie in a ccache option Instead of using the kernel keyring,s tore the session cookie within the ccache. This way kdestroy will really wipe away all creedntials. Ticket: https://pagure.io/freeipa/issue/6661 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipalib/rpc.py | 30 ++ ipapython/ccache_storage.py | 234 2 files changed, 242 insertions(+), 22 deletions(-) create mode 100644 ipapython/ccache_storage.py diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 8d1bba5..be31333 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -56,7 +56,7 @@ from ipalib.request import context, Connection from ipapython.ipa_log_manager import root_logger from ipapython import ipautil -from ipapython import kernel_keyring +from ipapython import ccache_storage from ipapython.cookie import Cookie from ipapython.dnsutil import DNSName from ipalib.text import _ @@ -84,19 +84,11 @@ unicode = str COOKIE_NAME = 'ipa_session' -KEYRING_COOKIE_NAME = '%s_cookie:%%s' % COOKIE_NAME +CCACHE_COOKIE_KEY_NAME = 'X-IPA-Session-Cookie' errors_by_code = dict((e.errno, e) for e in public_errors) -def client_session_keyring_keyname(principal): -''' -Return the key name used for storing the client session data for -the given principal. -''' - -return KEYRING_COOKIE_NAME % principal - def update_persistent_client_session_data(principal, data): '''
[Freeipa-devel] [freeipa PR#543][opened] Add options to allow ticket caching
URL: https://github.com/freeipa/freeipa/pull/543 Author: simo5 Title: #543: Add options to allow ticket caching Action: opened PR body: """ This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). NOTE: It is safe to apply this to master, if gssproxy does not support this option it simply is ignored. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/543/head:pr543 git checkout pr543 From 513c118d741594bf6bab6302a4b24c23168c4c44 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 6 Mar 2017 13:46:44 -0500 Subject: [PATCH] Add options to allow ticket caching This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/gssproxy.conf.template | 2 ++ 1 file changed, 2 insertions(+) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a..9d11100 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_client_ccache_sync = true cred_usage = both euid = $HTTPD_USER @@ -12,5 +13,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_constrained_delegation = true + allow_client_ccache_sync = true cred_usage = initiate euid = $IPAAPI_USER -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#532][+ack] Fix cookie with Max-Age processing
URL: https://github.com/freeipa/freeipa/pull/532 Title: #532: Fix cookie with Max-Age processing Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#532][comment] Fix cookie with Max-Age processing
URL: https://github.com/freeipa/freeipa/pull/532 Title: #532: Fix cookie with Max-Age processing simo5 commented: """ LGTM, please merge """ See the full comment at https://github.com/freeipa/freeipa/pull/532#issuecomment-284055799 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#532][comment] Fix cookie with Max-Age processing
URL: https://github.com/freeipa/freeipa/pull/532 Title: #532: Fix cookie with Max-Age processing simo5 commented: """ Ok, sorry for some reason I thought this was on the server side, where we do not care what the cookie looks like, but on the client side we indeed care. """ See the full comment at https://github.com/freeipa/freeipa/pull/532#issuecomment-283666136 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card simo5 commented: """ I am not sure we want to wait for replies from trusted domains, it may be very slow, and in some cases it will just not work right (one way trusts with strict access control on entries). Active Directory forces users to provide a hint when logging into trusted domains with smart cards and does not query the remote domain. Have we considered this ? """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-283420862 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card
URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card simo5 commented: """ Why do we need to talk to SSSD to do this? Don't we have all the needed data in LDAP already ? """ See the full comment at https://github.com/freeipa/freeipa/pull/516#issuecomment-283115629 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#508][comment] Fix ipa.service unit re. gssproxy
URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy simo5 commented: """ Seemed worth fixing at the same time, but I won't insist. """ See the full comment at https://github.com/freeipa/freeipa/pull/508#issuecomment-282770785 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#514][opened] Limit sessions to 30 minutes by default
URL: https://github.com/freeipa/freeipa/pull/514 Author: simo5 Title: #514: Limit sessions to 30 minutes by default Action: opened PR body: """ When we changed the session handling code we unintentinally extended sessions expiraion time to the whole ticket lifetime of 24h. Related to https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <s...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/514/head:pr514 git checkout pr514 From 61d3244b77c293f786032e607417c1352de0aef0 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 27 Feb 2017 10:50:03 -0500 Subject: [PATCH] Limit sessions to 30 minutes by default When we changed the session handling code we unintentinally extended sessions expiraion time to the whole ticket lifetime of 24h. Related to https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/conf/ipa.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 635bfe5..419d4e3 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -67,6 +67,7 @@ WSGIScriptReloading Off Session On SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION + SessionMaxAge 1800 GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiDelegCcacheDir /var/run/ipa/ccaches -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#506][comment] Use IPA CA cert in Custodia secrets client
URL: https://github.com/freeipa/freeipa/pull/506 Title: #506: Use IPA CA cert in Custodia secrets client simo5 commented: """ Works for me. """ See the full comment at https://github.com/freeipa/freeipa/pull/506#issuecomment-282282986 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][+ack] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server
URL: https://github.com/freeipa/freeipa/pull/364 Title: #364: Client-only builds with --disable-server simo5 commented: """ So this is the reasoning and why I am approving this PR and not #494. When you build all components, including server bits, tests are installed, therefore when we build just client bits tets that are relevant to client bits also need to be installed for consistency. Any switch should default to the same behavior regardless of whether server build is enabled. It is confusing if the --with[out]-[ipa]tests switch changes default based on a different switch passed to configure. As far as I understand this PR maintains the same default for either server or client only builds, so it gets my approval. """ See the full comment at https://github.com/freeipa/freeipa/pull/364#issuecomment-281680804 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#485][opened] Fix session logout
URL: https://github.com/freeipa/freeipa/pull/485 Author: simo5 Title: #485: Fix session logout Action: opened PR body: """ There were 2 issues with session logouts, one is that the logout_cookie was checked and acted on in the wrong place, the other is that the wrong value was set in the IPASESSION header. Fixes https://fedorahosted.org/freeipa/ticket/6685 Signed-off-by: Simo Sorce <s...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/485/head:pr485 git checkout pr485 From 85eb3103c04e6e125bdb1d09caed6a94580a7592 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Mon, 20 Feb 2017 12:38:11 -0500 Subject: [PATCH] Fix session logout There were 2 issues with session logouts, one is that the logout_cookie was checked and acted on in the wrong place, the other is that the wrong value was set in the IPASESSION header. Fixes https://fedorahosted.org/freeipa/ticket/6685 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipaserver/plugins/session.py | 2 +- ipaserver/rpcserver.py | 8 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ipaserver/plugins/session.py b/ipaserver/plugins/session.py index 8e480ed..a049cd9 100644 --- a/ipaserver/plugins/session.py +++ b/ipaserver/plugins/session.py @@ -23,6 +23,6 @@ def execute(self, *args, **options): else: delattr(context, 'ccache_name') -setattr(context, 'logout_cookie', '') +setattr(context, 'logout_cookie', 'MagBearerToken=') return dict(result=None) diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index f5c520f..25f2740 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -434,6 +434,10 @@ def __call__(self, environ, start_response): response = status.encode('utf-8') headers = [('Content-Type', 'text/plain; charset=utf-8')] +logout_cookie = getattr(context, 'logout_cookie', None) +if logout_cookie is not None: +headers.append(('IPASESSION', logout_cookie)) + start_response(status, headers) return [response] @@ -639,10 +643,6 @@ def __call__(self, environ, start_response): return self.marshal(None, CCacheError()) -logout_cookie = getattr(context, 'logout_cookie', None) -if logout_cookie: -self.headers.append(('IPASESSION', logout_cookie)) - try: self.create_context(ccache=user_ccache) response = super(KerberosWSGIExecutioner, self).__call__( -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][synchronized] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Author: simo5 Title: #468: Remove non-sensical kdestroy on https stop Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/468/head:pr468 git checkout pr468 From 7a8212217891ad2f9453b82d136cf30ad0b0dd74 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Wed, 15 Feb 2017 04:44:59 -0500 Subject: [PATCH] Remove non-sensical kdestroy on https stop This kdestroy runs as root and wipes root's own ccachs ... this is totally inappropriate. Use a file ccache that ends up in the private tmp, so that if the service is restarted the file is automatically removed. https://fedorahosted.org/freeipa/ticket/6673 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/ipa-httpd.conf.template | 2 +- ipaplatform/base/paths.py | 1 + ipaplatform/debian/paths.py | 1 - ipaplatform/redhat/tasks.py | 2 +- 4 files changed, 3 insertions(+), 3 deletions(-) diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template index 8822066..39bcfcc 100644 --- a/install/share/ipa-httpd.conf.template +++ b/install/share/ipa-httpd.conf.template @@ -1,7 +1,7 @@ # Do not edit. Created by IPA installer. [Service] +Environment=KRB5CCNAME=$KRB5CC_HTTPD Environment=GSS_USE_PROXY=yes Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG ExecStartPre=$IPA_HTTPD_KDCPROXY -ExecStopPost=$POST diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 8db9e61..9993c38 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -351,5 +351,6 @@ class BasePathNamespace(object): IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab' EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d' GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf' +KRB5CC_HTTPD = '/tmp/krb5cc-httpd' path_namespace = BasePathNamespace diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py index 5cbe9b8..ad0e13c 100644 --- a/ipaplatform/debian/paths.py +++ b/ipaplatform/debian/paths.py @@ -89,7 +89,6 @@ class DebianPathNamespace(BasePathNamespace): VAR_OPENDNSSEC_DIR = "/var/lib/opendnssec" OPENDNSSEC_KASP_DB = "/var/lib/opendnssec/db/kasp.db" IPA_ODS_EXPORTER_CCACHE = "/var/lib/opendnssec/tmp/ipa-ods-exporter.ccache" -KRB5CC_HTTPD = "/var/run/apache2/ipa/krbcache/krb5ccache" IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock" IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log' diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 5bddd14..123595e 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -458,7 +458,7 @@ def configure_httpd_service_ipa_conf(self): dict( KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG, IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY, -POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY) +KRB5CC_HTTPD=paths.KRB5CC_HTTPD, ) ) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#468][synchronized] Remove non-sensical kdestroy on https stop
URL: https://github.com/freeipa/freeipa/pull/468 Author: simo5 Title: #468: Remove non-sensical kdestroy on https stop Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/468/head:pr468 git checkout pr468 From 4cec7509d7601c155e8182ad9cfdb4eecfc33c70 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Wed, 15 Feb 2017 04:44:59 -0500 Subject: [PATCH] Remove non-sensical kdestroy on https stop This kdestroy runs as root and wipes root's own ccachs ... this is totally inappropriate. Use a file ccache that ends up in the private tmp, so that if the service is restarted the file is automatically removed. https://fedorahosted.org/freeipa/ticket/6673 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/share/ipa-httpd.conf.template | 2 +- ipaplatform/base/paths.py | 1 + ipaplatform/redhat/tasks.py | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template index 8822066..39bcfcc 100644 --- a/install/share/ipa-httpd.conf.template +++ b/install/share/ipa-httpd.conf.template @@ -1,7 +1,7 @@ # Do not edit. Created by IPA installer. [Service] +Environment=KRB5CCNAME=$KRB5CC_HTTPD Environment=GSS_USE_PROXY=yes Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG ExecStartPre=$IPA_HTTPD_KDCPROXY -ExecStopPost=$POST diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 8db9e61..9993c38 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -351,5 +351,6 @@ class BasePathNamespace(object): IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab' EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d' GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf' +KRB5CC_HTTPD = '/tmp/krb5cc-httpd' path_namespace = BasePathNamespace diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py index 5bddd14..123595e 100644 --- a/ipaplatform/redhat/tasks.py +++ b/ipaplatform/redhat/tasks.py @@ -458,7 +458,7 @@ def configure_httpd_service_ipa_conf(self): dict( KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG, IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY, -POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY) +KRB5CC_HTTPD=paths.KRB5CC_HTTPD, ) ) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket
URL: https://github.com/freeipa/freeipa/pull/469 Title: #469: Ignore unlink error in ipa-otpd.socket simo5 commented: """ @tiran I do not know, @npmccallum may know. """ See the full comment at https://github.com/freeipa/freeipa/pull/469#issuecomment-280656899 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code