Issue #5444: [RFE] Support Resource based kerberos constrained delegation - freeipa

freeipa

#5444 [RFE] Support Resource based kerberos constrained delegation

Closed: fixed 2 years ago by frenaud. Opened 9 years ago by simo.

RBKCD is a new delegation model in Windows AD 2012 that allows cross-forest s4u2proxy to work.
It depends on a new option in the MS-PAC being set.
Documented in:
http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/%5BMS-SFU%5D.pdf
in paragraph 2.2.5

Metadata Update from @simo:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 4.5 backlog

8 years ago

pasik commented 7 years ago

This article discusses the implementation & benefits of the new "resource based constrained delegation" of Windows AD 2012:
http://windowsitpro.com/security/how-windows-server-2012-eases-pain-kerberos-constrained-delegation-part-1

Are there currently plans to implement this in freeipa?

pasik commented 5 years ago

It seems Resource Based Constrained Delegation has now been implemented in upstream mit kerberos: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8479

abbra commented 5 years ago

Yes, it is part of 1.18 release. We need to design quite a bit of things on FreeIPA side before working on this:

how to store the access controls for RBCD in LDAP
how to manage them from API, CLI, and Web UI
what should be default settings for standard IPA services
etc

If you have any ideas or use cases, feel free to provide them here in comments.

Metadata Update from @abbra:
- Issue close_status updated to: None
- Issue set to the milestone: None (was: FreeIPA 4.5 backlog)

5 years ago

abbra commented 2 years ago

Taking over now that krb5 1.20 work is done and RBCD interface is exposed to KDB driver.

Metadata Update from @abbra:
- Issue assigned to abbra (was: simo)

2 years ago

rcritten commented 2 years ago

master:

68c113f Ignore empty modification error in case cifs/.. principal already added
9b77739 test_xmlrpc: adopt to automember plugin message changes in 389-ds
adc9609 ipa-kdb: search S4U2Proxy ACLs in cn=s4u2proxy,cn=etc,$BASEDN subtree only
b035ac8 doc: add design document for Kerberos constrained delegation
4239b77 IPA API changes to support RBCD
f78dc0b kdb: implement RBCD handling in KDB driver
dd5b189 RBCD: add basic test for RBCD handling
667b82a doc/designs/rbcd.md: add usage examples
0bf0b2d doc/designs/rbcd.md: document use of S-1-18-* SIDs

frenaud commented 2 years ago

ipa-4-10:

e750640 Ignore empty modification error in case cifs/.. principal already added
52e6da9 test_xmlrpc: adopt to automember plugin message changes in 389-ds
7a7ba45 ipa-kdb: search S4U2Proxy ACLs in cn=s4u2proxy,cn=etc,$BASEDN subtree only
18cd909 doc: add design document for Kerberos constrained delegation
5b6ad0e IPA API changes to support RBCD
7ac6adf kdb: implement RBCD handling in KDB driver
7d68f4f RBCD: add basic test for RBCD handling
b63e6a2 doc/designs/rbcd.md: add usage examples
cb18ca3 doc/designs/rbcd.md: document use of S-1-18-* SIDs

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata

Assignee

abbra

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

None

affects_doc

None

source

None

knownissue

None

type

enhancement

blockedby

None

test_case

None

component

KDC LDAP driver

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

tester

None

changelog

None

design

None

rhbz

todo

freeipa

Source Code

#5444 [RFE] Support Resource based kerberos constrained delegation Closed: fixed 2 years ago by frenaud. Opened 9 years ago by simo.

Metadata

#5444 [RFE] Support Resource based kerberos constrained delegation

Closed: fixed 2 years ago by frenaud. Opened 9 years ago by simo.