Allow admins to disable preauth for SPNs.

Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.

This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/3860
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Simo Sorce 2015-11-24 15:39:08 -05:00 committed by Martin Basti
parent de63e16922
commit 3e45c9be0a
6 changed files with 32 additions and 10 deletions

View File

@ -766,7 +766,7 @@ args: 0,25,3
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('delattr*', cli_name='delattr', exclude='webui')
option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout'))
option: StrEnum('ipaconfigstring', attribute=True, autofill=False, cli_name='ipaconfigstring', csv=True, multivalue=True, required=False, values=(u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs'))
option: Str('ipadefaultemaildomain', attribute=True, autofill=False, cli_name='emaildomain', multivalue=False, required=False)
option: Str('ipadefaultloginshell', attribute=True, autofill=False, cli_name='defaultshell', multivalue=False, required=False)
option: Str('ipadefaultprimarygroup', attribute=True, autofill=False, cli_name='defaultgroup', multivalue=False, required=False)

View File

@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
IPA_API_VERSION_MINOR=163
# Last change: jcholast - replica install: add remote connection check over API
IPA_API_VERSION_MINOR=164
# Last change: simo - add optional string to disable preauth for SPNs

View File

@ -261,12 +261,13 @@ static int ipadb_load_global_config(struct ipadb_context *ipactx)
vals[i]->bv_val, vals[i]->bv_len) == 0) {
ipactx->config.disable_last_success = true;
continue;
}
if (strncasecmp("KDC:Disable Lockout",
} else if (strncasecmp("KDC:Disable Lockout",
vals[i]->bv_val, vals[i]->bv_len) == 0) {
ipactx->config.disable_lockout = true;
continue;
} else if (strncasecmp("KDC:Disable Default Preauth for SPNs",
vals[i]->bv_val, vals[i]->bv_len) == 0) {
ipactx->config.disable_preauth_for_spns = true;
}
}
}

View File

@ -93,6 +93,7 @@ struct ipadb_global_config {
bool disable_lockout;
char **authz_data;
enum ipadb_user_auth user_auth;
bool disable_preauth_for_spns;
};
struct ipadb_context {

View File

@ -921,6 +921,25 @@ static krb5_error_code ipadb_find_principal(krb5_context kcontext,
return 0;
}
static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
krb5_db_entry *entry)
{
const struct ipadb_global_config *config;
struct ipadb_e_data *ied;
config = ipadb_get_global_config(ipactx);
if (config->disable_preauth_for_spns) {
ied = (struct ipadb_e_data *)entry->e_data;
if (ied && ied->ipa_user != true) {
/* not a user, assume SPN */
return 0;
}
}
/* By default require preauth for all principals */
return KRB5_KDB_REQUIRES_PRE_AUTH;
}
static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
LDAPMessage *lentry,
krb5_db_entry *entry,
@ -991,7 +1010,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
if (ret == 0) {
entry->attributes |= result;
} else {
entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH;
entry->attributes |= maybe_require_preauth(ipactx, entry);
}
}
}
@ -1007,7 +1026,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
entry->max_renewable_life = 604800;
}
if (polmask & TKTFLAGS_BIT) {
entry->attributes |= KRB5_KDB_REQUIRES_PRE_AUTH;
entry->attributes |= maybe_require_preauth(ipactx, entry);
}
kerr = 0;

View File

@ -205,7 +205,8 @@ class config(LDAPObject):
label=_('Password plugin features'),
doc=_('Extra hashes to generate in password plug-in'),
values=(u'AllowNThash',
u'KDC:Disable Last Success', u'KDC:Disable Lockout'),
u'KDC:Disable Last Success', u'KDC:Disable Lockout',
u'KDC:Disable Default Preauth for SPNs'),
csv=True,
),
Str('ipaselinuxusermaporder',