Configure s4u2proxy during installation.

This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX

Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.

Requires a version of mod_auth_kerb that supports s4u2proxy

https://fedorahosted.org/freeipa/ticket/1098

freeipa.spec.in

@@ -103,7 +103,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: httpd
 Requires: mod_wsgi
-Requires: mod_auth_kerb
+Requires: mod_auth_kerb >= 5.4-9
 Requires: mod_nss >= 1.0.8-10
 Requires: python-ldap
 Requires: python-krbV
@@ -621,6 +621,9 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Wed Jan 11 2012 Rob Crittenden <rcritten@redhat.com> - 2.99.0-14
+- Set min for mod_auth_kerb to 5.4-9 to pick up s4u2proxy support
+
 * Fri Dec 9 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.99.0-13
 - Fix dependency for samba4-devel package
 

install/conf/ipa.conf

@@ -1,5 +1,5 @@
 #
-# VERSION 2 - DO NOT REMOVE THIS LINE
+# VERSION 3 - DO NOT REMOVE THIS LINE
 #
 # LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
@@ -42,6 +42,7 @@ WSGIScriptReloading Off
   SetHandler None
 </Location>
 
+KrbConstrainedDelegationLock ipa
 
 # Protect /ipa with Kerberos
 <Location "/ipa">
@@ -53,6 +54,7 @@ WSGIScriptReloading Off
   KrbAuthRealms $REALM
   Krb5KeyTab /etc/httpd/conf/ipa.keytab
   KrbSaveCredentials on
+  KrbConstrainedDelegation on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
 </Location>

install/share/bootstrap-template.ldif

@@ -161,6 +161,28 @@ objectClass: nsContainer
 objectClass: top
 cn: posix-ids
 
+dn: cn=s4u2proxy,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: s4u2proxy
+
+dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
+changetype: add
+objectClass: ipaKrb5DelegationACL
+objectClass: groupOfPrincipals
+objectClass: top
+cn: ipa-http-delegation
+memberPrincipal: HTTP/$HOST@$REALM
+ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX
+
+dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
+changetype: add
+objectClass: groupOfPrincipals
+objectClass: top
+cn: ipa-ldap-delegation-targets
+memberPrincipal: ldap/$HOST@$REALM
+
 dn: uid=admin,cn=users,cn=accounts,$SUFFIX
 changetype: add
 objectClass: top

install/updates/30-s4u2proxy.update

@@ -0,0 +1,18 @@
+dn: cn=s4u2proxy,cn=etc,$SUFFIX
+default: objectClass: nsContainer
+default: objectClass: top
+default: cn: s4u2proxy
+
+dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
+default: objectClass: ipaKrb5DelegationACL
+default: objectClass: groupOfPrincipals
+default: objectClass: top
+default: cn: ipa-http-delegation
+default: memberPrincipal: HTTP/$HOST@$REALM
+default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX'
+
+dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
+default: objectClass: groupOfPrincipals
+default: objectClass: top
+default: cn: ipa-ldap-delegation-targets
+default: memberPrincipal: ldap/$HOST@$REALM

install/updates/Makefile.am

@@ -18,6 +18,7 @@ app_DATA =				\
 	20-user_private_groups.update	\
 	20-winsync_index.update		\
 	21-replicas_container.update	\
+	30-s4u2proxy.update		\
 	40-delegation.update		\
 	40-dns.update			\
 	40-automember.update		\

ipaserver/install/httpinstance.py

@@ -136,6 +136,9 @@ class HTTPInstance(service.Service):
         pent = pwd.getpwnam("apache")
         os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)
 
+        # Clean up existing ccache
+        installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid)
+
     def __configure_http(self):
         target_fname = '/etc/httpd/conf.d/ipa.conf'
         http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict)