Hi,
please find the design page for ticket
https://fedorahosted.org/freeipa/ticket/2960 at
http://freeipa.org/page/V3/Read_and_use_per_service_pac_type or below.
There are some questions in the text.
bye,
Sumit
= Overview =
In ticket #2184 a new option --pac_type was introduced to ipa
service-mod to individually set the PAC type for each service ticket.
The allowed values are:
* MS-PAC, the PAC used by Microsoft and specified in
* http://msdn.microsoft.com/en-us/library/cc237917.aspx
* PAD, Posix Authorization Data, currently work in progress, draft can
* be found at http://tools.ietf.org/html/draft-ietf-krb-wg-pad-01
* NONE, do not add any authorization data to the ticket
If the attribute is not set the default values specified in the
ipakrbauthzdata attribute of the ipaConfig object is used.
''Question: What about modifying ipaKrbAuthzData for host objects?
Currently I think it is only possible with --setattr.''
''Question: Since ipakrbauthzdata is optional in the ipaGuiConfig
objectclass, someone might delete it manually, which hardcoded default
do we want to use in this case?''
''Question: Since ipakrbauthzdata is a multi-value attribute how should
the case handled where on value is 'NONE'? I assume 'NONE' wins in this
case.'
= Use Cases =
* For services which do not use the authorization data from the PAC the
* PAC type can be set to 'NONE'. This will keep the tickets smaller and
* avoids unneeded load on the FreeIPA server during the PAC processing.
* For services which can only handle Kerberos tickets up to a maximal
* size, e.g. NFS, see #3263, the PAC type should be set to 'NONE'. The
* authorization data in the PAC can become quite large and can make the
* Kerberos ticket grow larger than the service can handle
* For services which cannot handle the default PAC type but need a
* different one. (This is for future versions since currently only the
* MS-PAC is supported)
= Design=
Since the UI/CLI changes were already handled by #2184 no additional
user interaction is needed here.
For the needed changes to the IPA KDC backend the changes done to fix
#3263 can be used as a starting point.
= Implementation =
To avoid issues during upgrade I think all changes done to fix #3263
should be preserved, i.e. the NFS service will have a hardcoded default
'NONE'. Otherwise the LDAP objects of the NFS services must be modified
during upgrade.
In ipadb_sign_authdata() a call like
pre
ret = get_service_pac_type(server-princ, pac_type);
/pre
can be added, where get_service_pac_type() runs a LDAP search with a
filter like
'((objectclass=ipaService)(krbPrincipalName=SERVER_PRINCIPAL))' which
looks for the ipakrbauthzdata attribute.
= Feature Managment =
=== UI ===
UI related changes were added by ticket #2184.
''Question: it looks like the PAC type cannot be explicitly set to
'NONE' in the UI, I guess this needs fixing?''
=== CLI ===
CLI related changes were added by ticket #2184.
= Major configuration options and enablement =
This feature does not need any options and is enabled by default. The
behaviour is controlled by the value of the ipaKrbAuthzData of the
service object and the ipaConfig object.
= Replication =
Changes only affect the KDC IPA backend. If not all server and replicas
are updated with this feature KDCs which are not updated might still
return Kerberos tickets with the default PAC type although there is a
different one mentioned in the service object.
= Updates and Upgrades =
Any impact on the updates and upgrades?
= Dependencies =
This feature does not add any new dependencies.
= External Impact =
The changes will only touch the KDC IPA backend, no external impact is
expected.
= RFE Author =
[[User:Sbose|Sumit Bose]]
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
