Provide Kerberos over HTTP (MS-KKDCP)

Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-06-23 17:01:00 +02:00
parent 49d708f00f
commit 495da412f1
15 changed files with 335 additions and 5 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -22,6 +22,10 @@

 %define _hardened_build 1

+%define kdcproxy_user kdcproxy
+%define kdcproxy_group kdcproxy
+%define kdcproxy_home %{_sharedstatedir}/kdcproxy
+
 Name:           freeipa
 Version:        __VERSION__
 Release:        __RELEASE__%{?dist}
@@ -95,6 +99,7 @@ BuildRequires:  p11-kit-devel
 BuildRequires:  pki-base >= 10.2.4-1
 BuildRequires:  python-pytest-multihost >= 0.5
 BuildRequires:  python-pytest-sourceorder
+BuildRequires:  python-kdcproxy >= 0.3

 %description
 IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -130,6 +135,7 @@ Requires: memcached
 Requires: python-memcached
 Requires: dbus-python
 Requires: systemd-units >= 38
+Requires(pre): shadow-utils
 Requires(pre): systemd-units
 Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
@@ -140,6 +146,7 @@ Requires: pki-kra >= 10.2.4-1
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: python-dns >= 1.11.1
+Requires: python-kdcproxy >= 0.3
 Requires: zip
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
@@ -429,6 +436,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
 # So we can own our Apache configuration
 mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
 mkdir -p %{buildroot}%{_usr}/share/ipa/html/
@@ -458,6 +466,10 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
 # Web UI plugin dir
 mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins

+# KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file)
+mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/
+install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
+
 # NOTE: systemd specific section
 mkdir -p %{buildroot}%{_tmpfilesdir}
 install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{name}.conf
@@ -551,6 +563,13 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
 # END
 fi

+# create kdcproxy user
+getent group %{kdcproxy_group} >/dev/null || groupadd -r %{kdcproxy_group}
+getent passwd %{kdcproxy_user} >/dev/null || \
+    /usr/sbin/useradd -r -m -c "IPA KDC Proxy User" -s /sbin/nologin \
+    -g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user}
+exit 0
+
 %postun server-trust-ad
 if [ "$1" -ge "1" ]; then
    if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
@@ -683,9 +702,11 @@ fi
 %{_libexecdir}/ipa/ipa-dnskeysyncd
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
+%{_libexecdir}/ipa/ipa-httpd-kdcproxy
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
+%config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
 %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
 %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
 %dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/
@@ -777,10 +798,13 @@ fi
 %config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
 %{_usr}/share/ipa/ipa.conf
 %{_usr}/share/ipa/ipa-rewrite.conf
 %{_usr}/share/ipa/ipa-pki-proxy.conf
+%{_usr}/share/ipa/kdcproxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
@@ -903,6 +927,7 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
 %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
 %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
 %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
--- a/init/systemd/httpd.service
+++ b/init/systemd/httpd.service
@@ -2,3 +2,5 @@

 [Service]
 Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
+Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
+ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
--- a/install/conf/Makefile.am
+++ b/install/conf/Makefile.am
@@ -3,6 +3,7 @@ NULL =
 appdir = $(IPA_DATA_DIR)
 app_DATA =                              \
 	ipa.conf			\
+	ipa-kdc-proxy.conf.template	\
 	ipa-pki-proxy.conf		\
 	ipa-rewrite.conf		\
 	$(NULL)
--- a/install/conf/ipa-kdc-proxy.conf.template
+++ b/install/conf/ipa-kdc-proxy.conf.template
@@ -0,0 +1,30 @@
+# Kerberos over HTTP / MS-KKDCP support (Kerberos KDC Proxy)
+#
+# The symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ is maintained
+# by the ExecStartPre script /usr/libexec/ipa/ipa-httpd-kdcproxy in
+# httpd.service. The service also sets the environment variable
+# KDCPROXY_CONFIG to $KDCPROXY_CONFIG.
+#
+# Disable KDC Proxy on the current host:
+#   # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif
+#   # systemctl restart httpd.service
+#
+# Enable KDC Proxy on the current host:
+#   # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif
+#   # systemctl restart httpd.service
+#
+
+WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \
+  user=kdcproxy group=kdcproxy display-name=%{GROUP}
+WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
+  process-group=kdcproxy application-group=kdcproxy
+WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py
+WSGIScriptReloading Off
+
+<Location "/KdcProxy">
+  Satisfy Any
+  Order Deny,Allow
+  Allow from all
+  WSGIProcessGroup kdcproxy
+  WSGIApplicationGroup kdcproxy
+</Location>
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -41,9 +41,7 @@ WSGISocketPrefix /run/httpd/wsgi


 # Configure mod_wsgi handler for /ipa
-WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500
-WSGIProcessGroup ipa
-WSGIApplicationGroup ipa
+WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 display-name=%{GROUP}
 WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
 WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
 WSGIScriptReloading Off
@@ -70,6 +68,8 @@ WSGIScriptReloading Off
  GssapiUseS4U2Proxy on
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
+  WSGIProcessGroup ipa
+  WSGIApplicationGroup ipa
 </Location>

 # Turn off Apache authentication for sessions
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -84,6 +84,9 @@ app_DATA =				\
 	sasl-mapping-fallback.ldif	\
 	schema-update.ldif		\
 	vault.update			\
+	kdcproxy.conf			\
+	kdcproxy-enable.uldif		\
+	kdcproxy-disable.uldif		\
 	$(NULL)

 EXTRA_DIST =				\
--- a/install/share/kdcproxy-disable.uldif
+++ b/install/share/kdcproxy-disable.uldif
@@ -0,0 +1,3 @@
+# Disable MS-KKDCP protocol for the current host
+dn: cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
+remove:ipaConfigString:kdcProxyEnabled
--- a/install/share/kdcproxy-enable.uldif
+++ b/install/share/kdcproxy-enable.uldif
@@ -0,0 +1,6 @@
+# Enable MS-KKDCP protocol for the current host
+dn: cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
+default:objectClass: nsContainer
+default:objectClass: ipaConfigObject
+default:cn: KDC
+add: ipaConfigString: kdcProxyEnabled
--- a/install/share/kdcproxy.conf
+++ b/install/share/kdcproxy.conf
@@ -0,0 +1,4 @@
+[global]
+configs = mit
+use_dns = false
+
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -35,6 +35,11 @@ EXTRA_DIST =			\
 	$(sbin_SCRIPTS)		\
 	$(NULL)

+appdir = $(libexecdir)/ipa/
+app_SCRIPTS =			\
+	ipa-httpd-kdcproxy	\
+	$(NULL)
+
 MAINTAINERCLEANFILES =		\
 	*~			\
 	Makefile.in
--- a/install/tools/ipa-httpd-kdcproxy
+++ b/install/tools/ipa-httpd-kdcproxy
@@ -0,0 +1,180 @@
+#!/usr/bin/python2
+# Authors:
+#   Christian Heimes <cheimes@redhat.com>
+#
+# Copyright (C) 2015  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+"""ipa-httpd-kdproxy
+
+This script creates or removes the symlink from /etc/ipa/ipa-kdc-proxy.conf
+to /etc/httpd/conf.d/. It's called from ExecStartPre hook in httpd.service.
+"""
+import os
+import sys
+
+from ipalib import api, errors
+from ipapython.ipa_log_manager import standard_logging_setup
+from ipapython.ipaldap import IPAdmin
+from ipapython.dn import DN
+from ipaplatform.paths import paths
+
+
+DEBUG = False
+TIME_LIMIT = 2
+
+
+class CheckError(Exception):
+    """An unrecoverable error has occured"""
+
+
+class KDCProxyConfig(object):
+    ipaconfig_flag = 'ipaKDCProxyEnabled'
+
+    def __init__(self, time_limit=TIME_LIMIT):
+        self.time_limit = time_limit
+        self.con = None
+        self.log = api.log
+        self.ldap_uri = api.env.ldap_uri
+        self.kdc_dn = DN(('cn', 'KDC'), ('cn', api.env.host),
+                         ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
+                         api.env.basedn)
+        self.conf = paths.HTTPD_IPA_KDCPROXY_CONF
+        self.conflink = paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK
+
+    def _ldap_con(self):
+        """Establish LDAP connection"""
+        self.log.debug('ldap_uri: %s', self.ldap_uri)
+        try:
+            self.con = IPAdmin(ldap_uri=self.ldap_uri)
+            # EXTERNAL bind as root user
+            self.con.ldapi = True
+            self.con.do_bind(timeout=self.time_limit)
+        except errors.NetworkError as e:
+            msg = 'Failed to get setting from dirsrv: %s' % e
+            self.log.exception(msg)
+            raise CheckError(msg)
+        except Exception as e:
+            msg = ('Unknown error while retrieving setting from %s: %s' %
+                   (self.ldap_uri, e))
+            self.log.exception(msg)
+            raise CheckError(msg)
+
+    def _find_entry(self, dn, attrs, filter, scope=IPAdmin.SCOPE_BASE):
+        """Find an LDAP entry, handles NotFound and Limit"""
+        try:
+            entries, truncated = self.con.find_entries(
+                filter, attrs, dn, scope, time_limit=self.time_limit)
+            if truncated:
+                raise errors.LimitsExceeded()
+        except errors.NotFound:
+            self.log.debug('Entry not found: %s', dn)
+            return None
+        except Exception as e:
+            msg = ('Unknown error while retrieving setting from %s: %s' %
+                   (self.ldap_uri, e))
+            self.log.exception(msg)
+            raise CheckError(msg)
+        return entries[0]
+
+    def is_host_enabled(self):
+        """Check replica specific flag"""
+        self.log.debug('Read settings from dn: %s', self.kdc_dn)
+        srcfilter = self.con.make_filter(
+            {'ipaConfigString': u'kdcProxyEnabled'}
+        )
+        entry = self._find_entry(self.kdc_dn, ['cn'], srcfilter)
+        self.log.debug('%s ipaConfigString: %s', self.kdc_dn, entry)
+        return entry is not None
+
+    def validate_symlink(self):
+        """Validate symlink in Apache conf.d"""
+        if not os.path.exists(self.conflink):
+            return False
+        if not os.path.islink(self.conflink):
+            raise CheckError("'%s' already exists, but it is not a symlink" %
+                             self.conflink)
+        dest = os.readlink(self.conflink)
+        if dest != self.conf:
+            raise CheckError("'%s' points to '%s', expected '%s'"
+                             % (self.conflink, dest, self.conf))
+        return True
+
+    def create_symlink(self):
+        """Create symlink to enable KDC proxy support"""
+        try:
+            valid = self.validate_symlink()
+        except CheckError as e:
+            self.log.warn("Cannot enable KDC proxy: %s " % e)
+            return False
+
+        if valid:
+            self.log.debug("Symlink exists and is valid")
+            return True
+
+        if not os.path.isfile(self.conf):
+            self.log.warn("'%s' does not exist", self.conf)
+            return False
+
+        # create the symbolic link
+        self.log.debug("Creating symlink from '%s' to '%s'",
+                       self.conf, self.conflink)
+        os.symlink(self.conf, self.conflink)
+        return True
+
+    def remove_symlink(self):
+        """Delete symlink to disable KDC proxy support"""
+        try:
+            valid = self.validate_symlink()
+        except CheckError as e:
+            self.log.warn("Cannot disable KDC proxy: %s " % e)
+            return False
+
+        if valid:
+            self.log.debug("Removing symlink '%s'", self.conflink)
+            os.unlink(self.conflink)
+        else:
+            self.log.debug("Symlink '%s' has already been removed.",
+                           self.conflink)
+
+        return True
+
+    def __enter__(self):
+        self._ldap_con()
+        return self
+
+    def __exit__(self, exc_type, exc_value, traceback):
+        if self.con is not None:
+            self.con.unbind()
+            self.con = None
+
+
+def main(debug=DEBUG, time_limit=TIME_LIMIT):
+    # initialize API without file logging
+    if not api.isdone('bootstrap'):
+        api.bootstrap(context='kdcproxyshim', log=None, debug=debug)
+        standard_logging_setup(verbose=True, debug=debug)
+
+    with KDCProxyConfig(time_limit) as cfg:
+        if cfg.is_host_enabled():
+            if cfg.create_symlink():
+                api.log.info('KDC proxy enabled')
+        else:
+            if cfg.remove_symlink():
+                api.log.info('KDC proxy disabled')
+
+if __name__ == '__main__':
+    main()
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -49,6 +49,8 @@ class BasePathNamespace(object):
    ALIAS_CACERT_ASC = "/etc/httpd/alias/cacert.asc"
    ALIAS_PWDFILE_TXT = "/etc/httpd/alias/pwdfile.txt"
    HTTPD_CONF_D_DIR = "/etc/httpd/conf.d/"
+    HTTPD_IPA_KDCPROXY_CONF = "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf"
+    HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/httpd/conf.d/ipa-kdc-proxy.conf"
    HTTPD_IPA_PKI_PROXY_CONF = "/etc/httpd/conf.d/ipa-pki-proxy.conf"
    HTTPD_IPA_REWRITE_CONF = "/etc/httpd/conf.d/ipa-rewrite.conf"
    HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
@@ -342,7 +344,7 @@ class BasePathNamespace(object):
    DB2LDIF = '/usr/sbin/db2ldif'
    BAK2DB = '/usr/sbin/bak2db'
    DB2BAK = '/usr/sbin/db2bak'
-
+    KDCPROXY_CONFIG = '/etc/ipa/kdcproxy/kdcproxy.conf'


 path_namespace = BasePathNamespace
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -33,15 +33,16 @@ import installutils
 from ipapython import sysrestore
 from ipapython import ipautil
 from ipapython import dogtag
+from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger
 import ipapython.errors
 from ipaserver.install import sysupgrade
 from ipalib import api
+from ipalib import errors
 from ipaplatform.tasks import tasks
 from ipaplatform.paths import paths
 from ipaplatform import services

-
 SELINUX_BOOLEAN_SETTINGS = dict(
    httpd_can_network_connect='on',
    httpd_manage_ipa='on',
@@ -136,6 +137,9 @@ class HTTPInstance(service.Service):
        self.step("creating a keytab for httpd", self.__create_http_keytab)
        self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
        self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
+        if not self.is_kdcproxy_configured():
+            self.step("create KDC proxy config", self.create_kdcproxy_conf)
+            self.step("enable KDC proxy", self.enable_kdcproxy)
        self.step("restarting httpd", self.__start)
        self.step("configuring httpd to start on boot", self.__enable)

@@ -381,6 +385,63 @@ class HTTPInstance(service.Service):
        ca_db = certs.CertDB(self.realm)
        ca_db.publish_ca_cert(paths.CA_CRT)

+    def is_kdcproxy_configured(self):
+        """Check if KDC proxy has already been configured in the past"""
+        return os.path.isfile(paths.HTTPD_IPA_KDCPROXY_CONF)
+
+    def enable_kdcproxy(self):
+        """Add ipaConfigString=kdcProxyEnabled to cn=KDC"""
+        entry_name = DN(('cn', 'KDC'), ('cn', self.fqdn), ('cn', 'masters'),
+                        ('cn', 'ipa'), ('cn', 'etc'), self.suffix)
+        attr_name = 'kdcProxyEnabled'
+
+        try:
+            entry = self.admin_conn.get_entry(entry_name, ['ipaConfigString'])
+        except errors.NotFound:
+            pass
+        else:
+            if any(attr_name.lower() == val.lower()
+                   for val in entry.get('ipaConfigString', [])):
+                root_logger.debug("service KDCPROXY already enabled")
+                return
+
+            entry.setdefault('ipaConfigString', []).append(attr_name)
+            try:
+                self.admin_conn.update_entry(entry)
+            except errors.EmptyModlist:
+                root_logger.debug("service KDCPROXY already enabled")
+                return
+            except:
+                root_logger.debug("failed to enable service KDCPROXY")
+                raise
+
+            root_logger.debug("service KDCPROXY enabled")
+            return
+
+        entry = self.admin_conn.make_entry(
+            entry_name,
+            objectclass=["nsContainer", "ipaConfigObject"],
+            cn=['KDC'],
+            ipaconfigstring=[attr_name]
+        )
+
+        try:
+            self.admin_conn.add_entry(entry)
+        except errors.DuplicateEntry:
+            root_logger.debug("failed to add service KDCPROXY entry")
+            raise
+
+    def create_kdcproxy_conf(self):
+        """Create ipa-kdc-proxy.conf in /etc/ipa/kdcproxy"""
+        target_fname = paths.HTTPD_IPA_KDCPROXY_CONF
+        sub_dict = dict(KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG)
+        http_txt = ipautil.template_file(
+            ipautil.SHARE_DIR + "ipa-kdc-proxy.conf.template", sub_dict)
+        self.fstore.backup_file(target_fname)
+        with open(target_fname, 'w') as f:
+            f.write(http_txt)
+        os.chmod(target_fname, 0644)
+
    def uninstall(self):
        if self.is_configured():
            self.print_msg("Unconfiguring web server")
@@ -420,6 +481,8 @@ class HTTPInstance(service.Service):
        installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)
        installutils.remove_file(paths.HTTPD_IPA_CONF)
        installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
+        installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF)
+        installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK)

        # Restore SELinux boolean states
        boolean_states = {name: self.restore_state(name)
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -146,6 +146,7 @@ class Backup(admintool.AdminTool):
        paths.LIMITS_CONF,
        paths.HTTPD_PASSWORD_CONF,
        paths.IPA_KEYTAB,
+        paths.HTTPD_IPA_KDCPROXY_CONF,
        paths.HTTPD_IPA_PKI_PROXY_CONF,
        paths.HTTPD_IPA_REWRITE_CONF,
        paths.HTTPD_NSS_CONF,
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1361,6 +1361,11 @@ def upgrade_configuration():
    http.change_mod_nss_port_from_http()
    http.configure_certmonger_renewal_guard()

+    if not http.is_kdcproxy_configured():
+        root_logger.info('[Enabling KDC Proxy]')
+        http.create_kdcproxy_conf()
+        http.enable_kdcproxy()
+
    http.stop()
    update_mod_nss_protocol(http)
    fix_trust_flags()