From 3adb9ca875f8eb99e99a29e17a471a2b6f408a4a Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Apr 28 2017 08:38:12 +0000
Subject: Use only anonymous PKINIT to fetch armor ccache


Since the anonymous principal can only use PKINIT to fetch credential
cache it makes no sense to try and use its kerberos key to establish
FAST channel.

We should also be able to use custom PKINIT anchor for the armoring.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>

---

diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
index 1e4d1a8..fb6caee 100644
--- a/ipalib/install/kinit.py
+++ b/ipalib/install/kinit.py
@@ -7,7 +7,6 @@ import time
 
 import gssapi
 
-from ipalib.constants import ANON_USER
 from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import root_logger
 from ipapython.ipautil import run
@@ -97,29 +96,26 @@ def kinit_password(principal, password, ccache_name, config=None,
         raise RuntimeError(result.error_output)
 
 
-def kinit_armor(ccache_name):
+def kinit_armor(ccache_name, pkinit_anchor=None):
     """
-    perform kinit to obtain anonymous ticket to be used as armor for FAST.
+    perform anonymous pkinit to obtain anonymous ticket to be used as armor
+    for FAST.
+
+    :param ccache_name: location of the armor ccache
+    :param pkinit_anchor: if not None, the location of PKINIT anchor file to
+        use. Otherwise the value from Kerberos client library configuration is
+        used
+
+    :raises: CalledProcessError if the anonymous PKINIT fails
     """
     root_logger.debug("Initializing anonymous ccache")
 
     env = {'LC_ALL': 'C'}
-    # try with the keytab first and then again fallback to try with pkinit in
-    # case someone decided it is fun to remove Anonymous keys from the entry
-    # or in future pkinit enabled principal enforce the use of pkinit
-    try:
-        # Gssapi does not understand anonymous cred use kinit command instead
-        args = [paths.KINIT, '-k', '-t', paths.ANON_KEYTAB,
-                ANON_USER, '-c', ccache_name]
-        run(args, env=env, raiseonerr=True, capture_error=True)
-        return
-    except Exception as e:
-        root_logger.debug("Failed to init Anonymous keytab: %s", e,
-                          exc_info=True)
-
-    root_logger.debug("Fallback to slower Anonymous PKINIT")
     args = [paths.KINIT, '-n', '-c', ccache_name]
 
+    if pkinit_anchor is not None:
+        args.extend(['-X', 'X509_anchors=FILE:{}'.format(pkinit_anchor)])
+
     # this workaround enables us to capture stderr and put it
     # into the raised exception in case of unsuccessful authentication
     run(args, env=env, raiseonerr=True, capture_error=True)