From 5a03462bfc94d09192c935b2a158958481d1df01 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Mar 30 2015 13:06:12 +0000 Subject: Use mod_auth_gssapi instead of mod_auth_kerb. https://fedorahosted.org/freeipa/ticket/4190 Reviewed-By: Jan Cholasta Reviewed-By: Petr Vobornik Reviewed-By: Rob Crittenden Reviewed-By: Simo Sorce --- diff --git a/freeipa.spec.in b/freeipa.spec.in index 546f347..8d58f25 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd >= 2.4.6-6 Requires: mod_wsgi -Requires: mod_auth_kerb >= 5.4-16 +Requires: mod_auth_gssapi >= 1.1.0-2 Requires: mod_nss >= 1.0.8-26 Requires: python-ldap >= 2.4.15 Requires: python-krbV @@ -463,6 +463,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam mkdir -p %{buildroot}%{_localstatedir}/run/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/ +install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so @@ -680,6 +681,7 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ +%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/ # NOTE: systemd specific section %{_tmpfilesdir}/%{name}.conf %attr(644,root,root) %{_unitdir}/ipa.service diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles index 1e7a896..b4503cc 100644 --- a/init/systemd/ipa.conf.tmpfiles +++ b/init/systemd/ipa.conf.tmpfiles @@ -1,2 +1,3 @@ d /var/run/ipa_memcached 0700 apache apache d /var/run/ipa 0700 root root +d /var/run/httpd/clientcaches 0700 apache apache diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 62ee955..871fab8 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -3,7 +3,6 @@ # # This file may be overwritten on upgrades. # -# LoadModule auth_kerb_module modules/mod_auth_kerb.so ProxyRequests Off @@ -61,19 +60,14 @@ WSGIScriptReloading Off SetHandler None -KrbConstrainedDelegationLock ipa - # Protect /ipa and everything below it in webspace with Apache Kerberos auth - AuthType Kerberos + AuthType GSSAPI AuthName "Kerberos Login" - KrbMethodNegotiate on - KrbMethodK5Passwd off - KrbServiceName HTTP - KrbAuthRealms $REALM - Krb5KeyTab /etc/httpd/conf/ipa.keytab - KrbSaveCredentials on - KrbConstrainedDelegation on + GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab + GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab + GssapiDelegCcacheDir /var/run/httpd/clientcaches + GssapiUseS4U2Proxy on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html diff --git a/ipalib/session.py b/ipalib/session.py index ae40fdf..2f732b3 100644 --- a/ipalib/session.py +++ b/ipalib/session.py @@ -484,7 +484,7 @@ improve authentication performance. First some definitions. There are 4 major players: 1. client - 2. mod_auth_kerb (in Apache process) + 2. mod_auth_gssapi (in Apache process) 3. wsgi handler (in IPA wsgi python process) 4. ds (directory server) @@ -506,12 +506,12 @@ This describes how things work in our current system for the web UI. 2. Client sends post to /ipa/json. - 3. mod_auth_kerb is configured to protect /ipa/json, replies 401 + 3. mod_auth_gssapi is configured to protect /ipa/json, replies 401 authenticate negotiate. 4. Client resends with credentials - 5. mod_auth_kerb validates credentials + 5. mod_auth_gssapi validates credentials a. if invalid replies 403 access denied (stops here) @@ -550,7 +550,7 @@ A few notes about the session implementation. Changes to Apache's resource protection --------------------------------------- - * /ipa/json is no longer protected by mod_auth_kerb. This is + * /ipa/json is no longer protected by mod_auth_gssapi. This is necessary to avoid the negotiate expense in steps 3,4,5 above. Instead the /ipa/json resource will be protected in our wsgi handler via the session cookie. @@ -583,15 +583,15 @@ The new sequence is: 5. client sends request to /ipa/login to obtain session credentials - 6. mod_auth_kerb replies 401 negotiate on /ipa/login + 6. mod_auth_gssapi replies 401 negotiate on /ipa/login 7. client sends credentials to /ipa/login - 8. mod_auth_kerb validates credentials + 8. mod_auth_gssapi validates credentials a. if valid - - mod_auth_kerb permits access to /ipa/login. wsgi handler is + - mod_auth_gssapi permits access to /ipa/login. wsgi handler is invoked and does the following: * establishes session for client @@ -600,7 +600,7 @@ The new sequence is: a. if invalid - - mod_auth_kerb sends 403 access denied (processing stops) + - mod_auth_gssapi sends 403 access denied (processing stops) 9. client now posts the same data again to /ipa/json including session cookie. Processing repeats starting at step 2 and since @@ -617,12 +617,12 @@ and xmlrpc API's are the same, they differ only on how their procedure calls are marshalled and unmarshalled. Under the new scheme /ipa/xml will continue to be Kerberos protected -at all times. Apache's mod_auth_kerb will continue to require the +at all times. Apache's mod_auth_gssapi will continue to require the client provides valid Kerberos credentials. When the WSGI handler routes to /ipa/xml the Kerberos credentials will be extracted from the KRB5CCNAME environment variable as provided by -mod_auth_kerb. Everything else remains the same. +mod_auth_gssapi. Everything else remains the same. ''' diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index d6bc955..4173ed9 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -858,7 +858,7 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status): def __call__(self, environ, start_response): self.debug('WSGI login_kerberos.__call__:') - # Get the ccache created by mod_auth_kerb + # Get the ccache created by mod_auth_gssapi user_ccache_name=environ.get('KRB5CCNAME') if user_ccache_name is None: return self.internal_error(environ, start_response,