diff --git a/freeipa.spec.in b/freeipa.spec.in index 46aefe1f5..05e1a1a2d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -103,7 +103,7 @@ Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd Requires: mod_wsgi -Requires: mod_auth_kerb +Requires: mod_auth_kerb >= 5.4-9 Requires: mod_nss >= 1.0.8-10 Requires: python-ldap Requires: python-krbV @@ -621,6 +621,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %changelog +* Wed Jan 11 2012 Rob Crittenden - 2.99.0-14 +- Set min for mod_auth_kerb to 5.4-9 to pick up s4u2proxy support + * Fri Dec 9 2011 Alexander Bokovoy - 2.99.0-13 - Fix dependency for samba4-devel package diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 72e3e4c01..f256dab4d 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 2 - DO NOT REMOVE THIS LINE +# VERSION 3 - DO NOT REMOVE THIS LINE # # LoadModule auth_kerb_module modules/mod_auth_kerb.so @@ -42,6 +42,7 @@ WSGIScriptReloading Off SetHandler None +KrbConstrainedDelegationLock ipa # Protect /ipa with Kerberos @@ -53,6 +54,7 @@ WSGIScriptReloading Off KrbAuthRealms $REALM Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on + KrbConstrainedDelegation on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 4f6bc3c97..4fba730b1 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -161,6 +161,28 @@ objectClass: nsContainer objectClass: top cn: posix-ids +dn: cn=s4u2proxy,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: s4u2proxy + +dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX +changetype: add +objectClass: ipaKrb5DelegationACL +objectClass: groupOfPrincipals +objectClass: top +cn: ipa-http-delegation +memberPrincipal: HTTP/$HOST@$REALM +ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX + +dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX +changetype: add +objectClass: groupOfPrincipals +objectClass: top +cn: ipa-ldap-delegation-targets +memberPrincipal: ldap/$HOST@$REALM + dn: uid=admin,cn=users,cn=accounts,$SUFFIX changetype: add objectClass: top diff --git a/install/updates/30-s4u2proxy.update b/install/updates/30-s4u2proxy.update new file mode 100644 index 000000000..be1d557e7 --- /dev/null +++ b/install/updates/30-s4u2proxy.update @@ -0,0 +1,18 @@ +dn: cn=s4u2proxy,cn=etc,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: s4u2proxy + +dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX +default: objectClass: ipaKrb5DelegationACL +default: objectClass: groupOfPrincipals +default: objectClass: top +default: cn: ipa-http-delegation +default: memberPrincipal: HTTP/$HOST@$REALM +default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX' + +dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX +default: objectClass: groupOfPrincipals +default: objectClass: top +default: cn: ipa-ldap-delegation-targets +default: memberPrincipal: ldap/$HOST@$REALM diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index cc7117614..20a1ce3a9 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -18,6 +18,7 @@ app_DATA = \ 20-user_private_groups.update \ 20-winsync_index.update \ 21-replicas_container.update \ + 30-s4u2proxy.update \ 40-delegation.update \ 40-dns.update \ 40-automember.update \ diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 79b617289..7fa19c108 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -136,6 +136,9 @@ class HTTPInstance(service.Service): pent = pwd.getpwnam("apache") os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) + # Clean up existing ccache + installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid) + def __configure_http(self): target_fname = '/etc/httpd/conf.d/ipa.conf' http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)