diff --git a/0028-selinux-allow-Cockpit-to-use-HTTP-keytab-on-IPA-serv.patch b/0028-selinux-allow-Cockpit-to-use-HTTP-keytab-on-IPA-serv.patch new file mode 100644 index 0000000..a432535 --- /dev/null +++ b/0028-selinux-allow-Cockpit-to-use-HTTP-keytab-on-IPA-serv.patch @@ -0,0 +1,148 @@ +From c71e12e902b3912c31245d46ad6f2c2ddee01126 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 1 Oct 2024 11:28:28 +0300 +Subject: [PATCH] selinux: allow Cockpit to use HTTP keytab on IPA servers + +Cockpit can use GSSAPI authentication and has pretty good definition of +how to enable it: https://cockpit-project.org/guide/latest/sso.html. +These instructions work on IPA clients but they cannot be used on IPA +servers because IPA framework already owns HTTP/.. Kerberos service and +its keytab. + +Luckily, there are two changes that need to be done to enable Cockpit +single sign-on with GSSAPI on IPA servers: + + - create a symlink /etc/cockpit/krb5.keytab to + /var/lib/ipa/gssproxy/http.keytab + + - add SELinux policy to allow cockpit_session_t to operate on + /var/lib/ipa/gssproxy/http.keytab file + +For existing installation an upgrade process would restore SELinux +context of the http.keytab file to the new value. + +Note that Cockpit documentation above also talks about Kerberos service +modifications to enable delegation. These modifications should not be +done for IPA servers' HTTP services, as these services are already +enabled to handle delegation. + +Fixes: https://pagure.io/freeipa/issue/9675 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Rob Crittenden +Reviewed-By: Rob Crittenden +--- + ipaserver/install/server/upgrade.py | 1 + + selinux/ipa.fc | 2 ++ + selinux/ipa.if | 24 ++++++++++++++++++++++++ + selinux/ipa.te | 19 +++++++++++++++++++ + 4 files changed, 46 insertions(+) + +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index 31d4f8398cfb0251cc59ada909eb55635b83e960..d5c466ee2f905eafd15663fef46d052ade30d742 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1124,6 +1124,7 @@ def update_http_keytab(http): + paths.OLD_IPA_KEYTAB, e + ) + http.keytab_user.chown(http.keytab) ++ tasks.restore_context(http.keytab) + + + def ds_enable_sidgen_extdom_plugins(ds): +diff --git a/selinux/ipa.fc b/selinux/ipa.fc +index 47bd19ba77418cad1f0904dc4a9a35ce9d6ff9d2..15e8e41aa50228ff560e338044240b46bc24cc40 100644 +--- a/selinux/ipa.fc ++++ b/selinux/ipa.fc +@@ -22,6 +22,8 @@ + + /var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0) + ++/var/lib/ipa/gssproxy/http.keytab -- gen_context(system_u:object_r:ipa_http_keytab_t,s0) ++ + /var/log/ipa(/.*)? gen_context(system_u:object_r:ipa_log_t,s0) + + /var/log/ipabackup.log -- gen_context(system_u:object_r:ipa_log_t,s0) +diff --git a/selinux/ipa.if b/selinux/ipa.if +index 8c47e7963af92b1ddcd59d92aa45d6b8e9c0c6cc..8f3147e10bd294665dd41e1c1f99c993d9699d20 100644 +--- a/selinux/ipa.if ++++ b/selinux/ipa.if +@@ -155,6 +155,7 @@ interface(`ipa_manage_log',` + ######################################## + ## + ## Allow domain to manage ipa lib files/dirs. ++## This includes reading ipa_http_keytab_t files. + ## + ## + ## +@@ -164,10 +165,33 @@ interface(`ipa_manage_log',` + # + interface(`ipa_read_lib',` + gen_require(` ++ type ipa_http_keytab_t; + type ipa_var_lib_t; + ') + + read_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t) ++ read_files_pattern($1, ipa_http_keytab_t, ipa_http_keytab_t) ++ list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) ++') ++ ++######################################## ++## ++## Allow domain to manage ipa HTTP keytab file. ++## This includes reading ipa_var_lib_t directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_read_http_keytab',` ++ gen_require(` ++ type ipa_http_keytab_t; ++ type ipa_var_lib_t; ++ ') ++ ++ read_files_pattern($1, ipa_http_keytab_t, ipa_http_keytab_t) + list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t) + ') + +diff --git a/selinux/ipa.te b/selinux/ipa.te +index 2546a9bd9468200185c484974a9e71f16f89de71..e4ce66687a48b27e85591cdd8352f7cac94d3151 100644 +--- a/selinux/ipa.te ++++ b/selinux/ipa.te +@@ -43,6 +43,9 @@ logging_log_file(ipa_log_t) + type ipa_var_lib_t; + files_type(ipa_var_lib_t) + ++type ipa_http_keytab_t; ++files_type(ipa_http_keytab_t) ++ + type ipa_var_run_t; + files_pid_file(ipa_var_run_t) + +@@ -516,3 +519,19 @@ optional_policy(` + ') + allow certmonger_t pki_tomcat_etc_rw_t:file { getattr ioctl open read }; + ') ++ ++# gssproxy needs to read http keytab ++optional_policy(` ++ gen_require(` ++ type gssproxy_t; ++ ') ++ ipa_read_http_keytab(gssproxy_t) ++') ++ ++# Allow Cockpit to use HTTP keytab on IPA servers for GSSAPI authentication ++optional_policy(` ++ gen_require(` ++ type cockpit_session_t; ++ ') ++ ipa_read_http_keytab(cockpit_session_t) ++') +-- +2.47.0 + diff --git a/0029-Minimal-test-for-Cockpit-integration-on-IPA-master.patch b/0029-Minimal-test-for-Cockpit-integration-on-IPA-master.patch new file mode 100644 index 0000000..d079f16 --- /dev/null +++ b/0029-Minimal-test-for-Cockpit-integration-on-IPA-master.patch @@ -0,0 +1,94 @@ +From 0dadcbb4ac9f6142b5130f025f64d918d6f208a9 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 8 Oct 2024 10:25:08 +0300 +Subject: [PATCH] Minimal test for Cockpit integration on IPA master + +Add a test to share HTTP service keytab on IPA master between IPA and +Cockpit. The test configures Cockpit with IPA CA-issued certificate and +allows Cockpit to access IPA HTTP service keytab for authentication. + +The test then attempts to authenticate with GSSAPI as admin user. A +successful result is when we receive CSRF token from the Cockpit as +the result of this authentication. This means we have logged in +successfully with Kerberos. + +Fixes: https://pagure.io/freeipa/issue/9675 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Rob Crittenden +Reviewed-By: Rob Crittenden +--- + ipatests/test_integration/test_cockpit.py | 61 +++++++++++++++++++++++ + 1 file changed, 61 insertions(+) + create mode 100644 ipatests/test_integration/test_cockpit.py + +diff --git a/ipatests/test_integration/test_cockpit.py b/ipatests/test_integration/test_cockpit.py +new file mode 100644 +index 0000000000000000000000000000000000000000..cdc96170a116536c7aa00be78cc4e0225804e21c +--- /dev/null ++++ b/ipatests/test_integration/test_cockpit.py +@@ -0,0 +1,61 @@ ++# ++# Copyright (C) 2024 FreeIPA Contributors see COPYING for license ++# ++ ++from __future__ import absolute_import ++ ++import time ++from ipatests.pytest_ipa.integration import tasks ++from ipatests.test_integration.base import IntegrationTest ++from ipaplatform.paths import paths ++ ++ ++class TestCockpitIntegration(IntegrationTest): ++ topology = "line" ++ reqcert = '/etc/cockpit/ws-certs.d/99-cockpit.cert' ++ reqkey = '/etc/cockpit/ws-certs.d/99-cockpit.key' ++ symlink = '/etc/cockpit/krb5.keytab' ++ ++ @classmethod ++ def uninstall(cls, mh): ++ cls.master.run_command(['ipa-getcert', 'stop-tracking', '-f', ++ cls.reqcert], raiseonerr=False) ++ cls.master.run_command(['rm', '-f', cls.symlink], raiseonerr=False) ++ cls.master.run_command(['systemctl', 'disable', '--now', ++ 'cockpit.socket']) ++ super(TestCockpitIntegration, cls).uninstall(mh) ++ ++ @classmethod ++ def install(cls, mh): ++ master = cls.master ++ ++ # Install Cockpit and configure it to use IPA certificate and keytab ++ master.run_command(['dnf', 'install', '-y', 'cockpit', 'curl'], ++ raiseonerr=False) ++ ++ super(TestCockpitIntegration, cls).install(mh) ++ ++ master.run_command(['ipa-getcert', 'request', '-f', cls.reqcert, '-k', ++ cls.reqkey, '-D', cls.master.hostname, '-K', ++ 'host/' + cls.master.hostname, '-m', '0640', '-o', ++ 'root:cockpit-ws', '-O', 'root:root', '-M', ++ '0644'], raiseonerr=False) ++ ++ master.run_command(['ln', '-s', paths.HTTP_KEYTAB, cls.symlink], ++ raiseonerr=False) ++ ++ time.sleep(5) ++ master.run_command(['systemctl', 'enable', '--now', 'cockpit.socket']) ++ ++ def test_login_with_kerberos(self): ++ """ ++ Login to Cockpit using GSSAPI authentication ++ """ ++ master = self.master ++ tasks.kinit_admin(master) ++ ++ cockpit_login = f'https://{master.hostname}:9090/cockpit/login' ++ result = master.run_command([paths.BIN_CURL, '-u:', '--negotiate', ++ '--cacert', paths.IPA_CA_CRT, ++ cockpit_login]) ++ assert ("csrf-token" in result.stdout_text) +-- +2.47.0 + diff --git a/0030-ipaserver-dcerpc-support-Samba-4.21.patch b/0030-ipaserver-dcerpc-support-Samba-4.21.patch new file mode 100644 index 0000000..241d410 --- /dev/null +++ b/0030-ipaserver-dcerpc-support-Samba-4.21.patch @@ -0,0 +1,38 @@ +From c306c613399cdd9a2c716b83ce0d47d320aec2a8 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 19 Nov 2024 12:57:46 +0200 +Subject: [PATCH] ipaserver/dcerpc: support Samba 4.21 + +Samba 4.21 moved samba.trust_utils module to samba.lsa_utils. + +Fixes: https://pagure.io/freeipa/issue/9702 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/dcerpc.py | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py +index a28c72361276f12a1a02cd126425ac3c62eddd4f..3344ea226e3cba61912e717f9c375612bb4707e0 100644 +--- a/ipaserver/dcerpc.py ++++ b/ipaserver/dcerpc.py +@@ -55,9 +55,13 @@ from samba import ntstatus + import samba + + try: +- from samba.trust_utils import CreateTrustedDomainRelax ++ from samba.lsa_utils import CreateTrustedDomainRelax + except ImportError: +- CreateTrustedDomainRelax = None ++ try: ++ from samba.trust_utils import CreateTrustedDomainRelax ++ except ImportError: ++ CreateTrustedDomainRelax = None ++ + try: + from samba import arcfour_encrypt + except ImportError: +-- +2.47.0 + diff --git a/freeipa.spec b/freeipa.spec index 0ac1229..f94966a 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -224,7 +224,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 5%{?rc_version:.%rc_version}%{?dist} +Release: 6%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -275,6 +275,9 @@ Patch0024: 0024-ipa-migrate-should-migrate-dns-forward-zones.patch Patch0025: 0025-ipatests-Tests-for-ipa-migrate-tool.patch Patch0026: 0026-Fix-Organization-field-in-Okta-not-required.patch Patch0027: 0027-ipatests-install-master-with-allow-zone-overlap.patch +Patch0028: 0028-selinux-allow-Cockpit-to-use-HTTP-keytab-on-IPA-serv.patch +Patch0029: 0029-Minimal-test-for-Cockpit-integration-on-IPA-master.patch +Patch0030: 0030-ipaserver-dcerpc-support-Samba-4.21.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1890,6 +1893,10 @@ fi %endif %changelog +* Wed Nov 27 2024 Florence Blanc-Renaud - 4.12.2-6 +- Resolves: RHEL-68448 ipa trust-add fails in FIPS mode with an internal error has occurred +- Resolves: RHEL-69301 Support GSSAPI in Cockpit on IPA servers + * Wed Nov 20 2024 Florence Blanc-Renaud - 4.12.2-5 - Resolves: RHEL-67414 ipa dns-zone --allow-query '!198.18.2.0/24;any;' fails with Unrecognized IPAddress flags - Resolves: RHEL-67410 ipa-migrate should also migrate DNS forward zones