IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Drop use of kinit_as_http from trust code

Browse Source 
The framework will not have direct access to the keytab anymore.
This function was used in two places, to fetch the domain list and to
re-initialize the PAC when enabling or disabling a domain trust.
The domian list is normally fetched via oddjob anyway so this use is
not necesary anymore, and the MS-PAC re-initialization can be moved
later to oddjob if needed.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Simo Sorce
2016-12-07 04:33:40 -05:00
committed by Jan Cholasta
parent 38c66896de
commit b109f5d850
2 changed files with 3 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
ipaserver/dcerpc.py
View File

@@ -633,50 +633,6 @@ class DomainValidator(object):
return u'S-%d-%d-%s' % (sid_rev_num, ia,
'-'.join([str(s) for s in subs]),)
def kinit_as_http(self, domain):
"""
Initializes ccache with http service credentials.
Applies session code defaults for ccache directory and naming prefix.
Session code uses kinit_+<pid>, we use
kinit_+<TD>+<domain netbios name> so there is no clash.
Returns tuple (ccache path, principal) where (None, None) signifes an
error on ccache initialization
"""
domain_suffix = domain.replace('.', '-')
ccache_name = "kinit_TD%s" % (domain_suffix)
ccache_path = os.path.join(paths.IPA_CCACHES, ccache_name)
realm = api.env.realm
hostname = api.env.host
principal = 'HTTP/%s@%s' % (hostname, realm)
keytab = paths.IPA_KEYTAB
# Destroy the contents of the ccache
root_logger.debug('Destroying the contents of the separate ccache')
ipautil.run(
[paths.KDESTROY, '-A', '-c', ccache_path],
env={'KRB5CCNAME': ccache_path},
raiseonerr=False)
# Destroy the contents of the ccache
root_logger.debug('Running kinit from ipa.keytab to obtain HTTP '
'service principal with MS-PAC attached.')
result = ipautil.run(
[paths.KINIT, '-kt', keytab, principal],
env={'KRB5CCNAME': ccache_path},
raiseonerr=False)
if result.returncode == 0:
return (ccache_path, principal)
else:
return (None, None)
def kinit_as_administrator(self, domain):
"""
Initializes ccache with http service credentials.
@@ -1481,7 +1437,9 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None):
ccache_name, _principal = domval.kinit_as_administrator(
trustdomain)
else:
ccache_name, _principal = domval.kinit_as_http(trustdomain)
raise errors.ValidationError(name=_('Credentials'),
error=_('Missing credentials for '
'cross-forest communication'))
td.creds = credentials.Credentials()
td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS)
if ccache_name:

6
ipaserver/plugins/trust.py
View File

@@ -1813,9 +1813,6 @@ class trustdomain_enable(LDAPQuery):
if sid in trust_entry['ipantsidblacklistincoming']:
trust_entry['ipantsidblacklistincoming'].remove(sid)
ldap.update_entry(trust_entry)
# Force MS-PAC cache re-initialization on KDC side
domval = ipaserver.dcerpc.DomainValidator(self.api)
domval.kinit_as_http(keys[0])
else:
raise errors.AlreadyActive()
except errors.NotFound:
@@ -1854,9 +1851,6 @@ class trustdomain_disable(LDAPQuery):
if not (sid in trust_entry['ipantsidblacklistincoming']):
trust_entry['ipantsidblacklistincoming'].append(sid)
ldap.update_entry(trust_entry)
# Force MS-PAC cache re-initialization on KDC side
domval = ipaserver.dcerpc.DomainValidator(self.api)
domval.kinit_as_http(keys[0])
else:
raise errors.AlreadyInactive()
except errors.NotFound: