e57a97aa67
- Resolves: RHEL-12589 ipa: Invalid CSRF protection - Resolves: RHEL-19748 ipa hbac-test did not report that it hit an arbitrary search limit - Resolves: RHEL-21059 'DogtagCertsConfigCheck' fails, displaying the error message 'Malformed directive: ca.signing.certnickname=caSigningCert cert-pki-ca' - Resolves: RHEL-21804 ipa client 4.10.2 - Failed to obtain host TGT - Resolves: RHEL-21809 CA less servers are failing to be added in topology segment for domain suffix - Resolves: RHEL-21810 ipa-client-install --automount-location does not work - Resolves: RHEL-21811 Handle change in behavior of pki-server ca-config-show in pki 11.5.0 - Resolves: RHEL-21812 Backport latest test fixes in ipa - Resolves: RHEL-21813 krb5kdc fails to start when pkinit and otp auth type is enabled in ipa - Resolves: RHEL-21815 IPA 389ds plugins need to have better logging and tracing - Resolves: RHEL-21937 Make sure a default NetBIOS name is set if not passed in by ADTrust instance constructor Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
102 lines
6.5 KiB
Diff
102 lines
6.5 KiB
Diff
From 3842116185de6ae8714f30b57bd75c7eddde53d8 Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Thu, 21 Dec 2023 09:38:57 +0200
|
|
Subject: [PATCH] host: update System: Manage Host Keytab permission
|
|
|
|
Since commit 5c0e7a5fb420377dcc06a956695afdcb35196444, a new extended
|
|
operation to get a keytab is supposed to be used. This keytab
|
|
setting/retrieval extended operation checks access rights of the bound
|
|
DN to write to a virtual attribute 'ipaProtectedOperation;write_keys'.
|
|
|
|
If the write isn't allowed, the operation is rejected and ipa-getkeytab
|
|
tool falls back to an older code that generates the keytab on the client
|
|
and forcibly sets to the LDAP entry. For the latter, a check is done to
|
|
make sure the bound DN is allowed to write to 'krbPrincipalKey' attribute.
|
|
|
|
This fallback should never happen for newer deployments. When enrollemnt
|
|
operation is delegated to non-administrative user with the help of 'Host
|
|
Enrollment' role, a host can be pre-created or created at enrollment
|
|
time, if this non-administrative user has 'Host Administrators' role. In
|
|
the latter case a system permission 'System: Manage Host Keytab' grants
|
|
write access to 'krbPrincipalKey' attribute but lacks any access to the
|
|
virtual attributes expected by the new extended operation.
|
|
|
|
There is a second virtual attribute, 'ipaProtectedOperation;read_keys',
|
|
that allows to retrieve existing keys for a host. However, during
|
|
initial enrollment we do not allow to retrieve and reuse existing
|
|
Kerberos key: while 'ipa-getkeytab -r' would give ability to retrieve
|
|
the existing key, 'ipa-join' has no way to trigger that operation.
|
|
Hence, permission 'System: Manage Host Keytab' will not grant the right
|
|
to read the Kerberos key via extended operation used by 'ipa-getkeytab
|
|
-r'. Such operation can be done later by utilizing 'ipa
|
|
service/host-allow-retrieve-keytab' commands.
|
|
|
|
Fix 'System: Manage Host Keytab' permission and extend a permission test
|
|
to see that we do not fallback to the old extended operation.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9496
|
|
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
---
|
|
ACI.txt | 2 +-
|
|
ipaserver/plugins/host.py | 3 ++-
|
|
ipatests/test_integration/test_user_permissions.py | 7 +++++++
|
|
3 files changed, 10 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/ACI.txt b/ACI.txt
|
|
index e6d6e3d1586c098f528d17fe940a1364b415654f..236bb43677bd9d84798a7ab418412b337fbf5c59 100644
|
|
--- a/ACI.txt
|
|
+++ b/ACI.txt
|
|
@@ -147,7 +147,7 @@ aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(ve
|
|
dn: cn=computers,cn=accounts,dc=ipa,dc=example
|
|
aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
dn: cn=computers,cn=accounts,dc=ipa,dc=example
|
|
-aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
+aci: (targetattr = "ipaprotectedoperation;write_keys || krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
dn: cn=computers,cn=accounts,dc=ipa,dc=example
|
|
aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
|
dn: cn=computers,cn=accounts,dc=ipa,dc=example
|
|
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
|
|
index 3ef510edc77a07ad504f07614d0c5524a3c34646..b02c8b55fde037c5fa0a9c73575b22e3c7177806 100644
|
|
--- a/ipaserver/plugins/host.py
|
|
+++ b/ipaserver/plugins/host.py
|
|
@@ -409,7 +409,8 @@ class host(LDAPObject):
|
|
api.env.container_hostgroup,
|
|
api.env.basedn),
|
|
],
|
|
- 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'},
|
|
+ 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey',
|
|
+ 'ipaprotectedoperation;write_keys'},
|
|
'replaces': [
|
|
'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)',
|
|
],
|
|
diff --git a/ipatests/test_integration/test_user_permissions.py b/ipatests/test_integration/test_user_permissions.py
|
|
index 3333a4f6b961961aea7dadf2eb36d7ed3b31e410..cd1096ff3582f9c0cfdb16b5ed876164139f1a1b 100644
|
|
--- a/ipatests/test_integration/test_user_permissions.py
|
|
+++ b/ipatests/test_integration/test_user_permissions.py
|
|
@@ -277,6 +277,9 @@ class TestInstallClientNoAdmin(IntegrationTest):
|
|
self.master.run_command(['ipa', 'privilege-add-permission',
|
|
'--permissions', 'System: Add Hosts',
|
|
'Add Hosts'])
|
|
+ self.master.run_command(['ipa', 'privilege-add-permission',
|
|
+ '--permissions', 'System: Manage Host Keytab',
|
|
+ 'Add Hosts'])
|
|
|
|
self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
|
|
'--privileges', 'Host Enrollment'])
|
|
@@ -301,6 +304,10 @@ class TestInstallClientNoAdmin(IntegrationTest):
|
|
encoding='utf-8')
|
|
assert msg in install_log
|
|
|
|
+ # Make sure we do not fallback to an old keytab retrieval method anymore
|
|
+ msg = "Retrying with pre-4.0 keytab retrieval method..."
|
|
+ assert msg not in install_log
|
|
+
|
|
# check that user is able to request a host cert, too
|
|
result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
|
|
assert 'Local IPA host' in result.stdout_text
|
|
--
|
|
2.43.0
|
|
|