Configure HTTPD to work via Gss-Proxy

https://fedorahosted.org/freeipa/ticket/4189 https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-11-29 11:10:22 -05:00 · 2016-11-29 11:10:22 -05:00 · d2f5fc304f
commit d2f5fc304f
parent b6741d81e1
20 changed files with 70 additions and 24 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@ -259,6 +259,8 @@ Requires: systemd-python
 Requires: %{etc_systemd_dir}
 Requires: gzip
 Requires: oddjob
+# Require 0.6.0 for the new delegation access control features
+Requires: gssproxy >= 0.6.0

 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
@ -1271,6 +1273,7 @@ fi
 %{_usr}/share/ipa/updates/*
 %dir %{_localstatedir}/lib/ipa
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
+%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
 %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
--- a/init/systemd/ipa.service.in
+++ b/init/systemd/ipa.service.in
@ -1,6 +1,7 @@
 [Unit]
 Description=Identity, Policy, Audit
 Requires=network.target
+Requires=gssproxy.service
 After=network.target

 [Service]
--- a/install/Makefile.am
+++ b/install/Makefile.am
@ -21,6 +21,7 @@ SUBDIRS =			\
 install-exec-local:
 	$(INSTALL) -d -m 700 $(DESTDIR)$(IPA_SYSCONF_DIR)/custodia
 	$(INSTALL) -d -m 700 $(DESTDIR)$(localstatedir)/lib/ipa/backup
+	$(INSTALL) -d -m 700 $(DESTDIR)$(localstatedir)/lib/ipa/gssproxy
 	$(INSTALL) -d -m 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
 	$(INSTALL) -d -m 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade
 	$(INSTALL) -d -m 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@ -69,8 +69,6 @@ WSGIScriptReloading Off
  SessionHeader IPASESSION
  GssapiSessionKey file:/etc/httpd/alias/ipasession.key

-  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
-  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
  GssapiDelegCcacheDir /var/run/ipa/ccaches
  GssapiUseS4U2Proxy on
  GssapiAllowedMech krb5
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@ -90,6 +90,7 @@ dist_app_DATA =				\
 	ipa-httpd.conf.template		\
 	gssapi.login			\
 	ipa.conf.tmpfiles		\
+	gssproxy.conf.template		\
 	$(NULL)

 kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@ -0,0 +1,8 @@
+#Installed and maintained by ipa update tools, please do not modify
+[service/ipa-httpd]
+  mechs = krb5
+  cred_store = keytab:$HTTP_KEYTAB
+  cred_store = client_keytab:$HTTP_KEYTAB
+  allow_protocol_transition = true
+  cred_usage = both
+  euid = $HTTPD_USER
--- a/install/share/ipa-httpd.conf.template
+++ b/install/share/ipa-httpd.conf.template
@ -1,7 +1,7 @@
 # Do not edit. Created by IPA installer.

 [Service]
-Environment=KRB5CCNAME=$KRB5CC_HTTPD
+Environment=GSS_USE_PROXY=yes
 Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG
 ExecStartPre=$IPA_HTTPD_KDCPROXY
 ExecStopPost=$POST
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@ -11,6 +11,7 @@ class BaseConstantsNamespace(object):
    DS_USER = 'dirsrv'
    DS_GROUP = 'dirsrv'
    HTTPD_USER = "apache"
+    GSSPROXY_USER = "root"
    IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
    KDCPROXY_USER = "kdcproxy"
    NAMED_USER = "named"
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@ -49,7 +49,8 @@ class BasePathNamespace(object):
    HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
    HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf"
    HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
-    IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
+    OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
+    HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab"
    ANON_KEYTAB = "/var/lib/ipa/api/anon.keytab"
    HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf"
    IDMAPD_CONF = "/etc/idmapd.conf"
@ -328,7 +329,7 @@ class BasePathNamespace(object):
    IPA_ODS_EXPORTER_CCACHE = "/var/opendnssec/tmp/ipa-ods-exporter.ccache"
    VAR_RUN_DIRSRV_DIR = "/var/run/dirsrv"
    IPA_CCACHES = "/var/run/ipa/ccaches"
-    KRB5CC_HTTPD = "/var/run/ipa/ccaches/http.ccache"
+    HTTP_CCACHE = "/var/lib/ipa/gssproxy/http.ccache"
    IPA_RENEWAL_LOCK = "/var/run/ipa/renewal.lock"
    SVC_LIST_FILE = "/var/run/ipa/services.list"
    KRB5CC_SAMBA = "/var/run/samba/krb5cc_samba"
@ -349,5 +350,6 @@ class BasePathNamespace(object):
    IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
    IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
    EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d'
+    GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'

 path_namespace = BasePathNamespace
--- a/ipaplatform/base/services.py
+++ b/ipaplatform/base/services.py
@ -42,7 +42,7 @@ wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
                     'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
                     'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
                     'rpcidmapd', 'pki_tomcatd', 'chronyd', 'domainname',
-                     'named', 'ods_enforcerd', 'ods_signerd']
+                     'named', 'ods_enforcerd', 'ods_signerd', 'gssproxy']

 # The common ports for these services. This is used to wait for the
 # service to become available.
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@ -68,6 +68,7 @@ redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
 redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
 redhat_system_units['ods-signerd'] = 'ods-signerd.service'
 redhat_system_units['ods_signerd'] = redhat_system_units['ods-signerd']
+redhat_system_units['gssproxy'] = 'gssproxy.service'


 # Service classes that implement Red Hat OS family-specific behaviour
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@ -451,7 +451,6 @@ class RedHatTaskNamespace(BaseTaskNamespace):
            os.path.join(paths.USR_SHARE_IPA_DIR, 'ipa-httpd.conf.template'),
            paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF,
            dict(
-                KRB5CC_HTTPD=paths.KRB5CC_HTTPD,
                KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
                IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
                POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY)
@ -461,6 +460,20 @@ class RedHatTaskNamespace(BaseTaskNamespace):
        os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644)
        self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)

+    def configure_http_gssproxy_conf(self):
+        ipautil.copy_template_file(
+            os.path.join(paths.USR_SHARE_IPA_DIR, 'gssproxy.conf.template'),
+            paths.GSSPROXY_CONF,
+            dict(
+                HTTP_KEYTAB=paths.HTTP_KEYTAB,
+                HTTP_CCACHE=paths.HTTP_CCACHE,
+                HTTPD_USER=constants.HTTPD_USER
+            )
+        )
+
+        os.chmod(paths.GSSPROXY_CONF, 0o600)
+        self.restore_context(paths.GSSPROXY_CONF)
+
    def remove_httpd_service_ipa_conf(self):
        """Remove systemd config for httpd service of IPA"""
        try:
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -129,10 +129,11 @@ class HTTPInstance(service.Service):
            api=api,
            service_prefix=u'HTTP',
            service_user=HTTPD_USER,
-            keytab=paths.IPA_KEYTAB)
+            keytab=paths.HTTP_KEYTAB)

        self.cert_nickname = cert_nickname
        self.ca_is_configured = True
+        self.keytab_user = constants.GSSPROXY_USER

    subject_base = ipautil.dn_attribute_property('_subject_base')

@ -169,13 +170,15 @@ class HTTPInstance(service.Service):
        self.step("configuring httpd", self.__configure_http)
        self.step("setting up httpd keytab", self._request_service_keytab)
        self.step("retrieving anonymous keytab", self.request_anon_keytab)
+        self.step("configuring Gssproxy", self.configure_gssproxy)
        self.step("setting up ssl", self.__setup_ssl)
        if self.ca_is_configured:
            self.step("configure certmonger for renewals",
                      self.configure_certmonger_renewal_guard)
        self.step("importing CA certificates from LDAP", self.__import_ca_certs)
        self.step("publish CA cert", self.__publish_ca_cert)
-        self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
+        self.step("clean up any existing httpd ccaches",
+                  self.remove_httpd_ccaches)
        self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
        if not self.is_kdcproxy_configured():
            self.step("create KDC proxy user", create_kdcproxy_user)
@ -205,13 +208,13 @@ class HTTPInstance(service.Service):
        except ipapython.errors.SetseboolError as e:
            self.print_msg(e.format_service_warning('web interface'))

-    def remove_httpd_ccache(self):
-        # Clean up existing ccache
+    def remove_httpd_ccaches(self):
+        # Clean up existing ccaches
        # Make sure that empty env is passed to avoid passing KRB5CCNAME from
        # current env
-        ipautil.run(
-            [paths.KDESTROY, '-A'], runas=self.service_user, raiseonerr=False,
-            env={})
+        installutils.remove_file(paths.HTTP_CCACHE)
+        for f in os.listdir(paths.IPA_CCACHES):
+            os.remove(os.path.join(paths.IPA_CCACHES, f))

    def __configure_http(self):
        self.update_httpd_service_ipa_conf()
@ -235,6 +238,10 @@ class HTTPInstance(service.Service):
        http_fd.close()
        os.chmod(target_fname, 0o644)

+    def configure_gssproxy(self):
+        tasks.configure_http_gssproxy_conf()
+        services.knownservices.gssproxy.restart()
+
    def change_mod_nss_port_from_http(self):
        # mod_ssl enforces SSLEngine on for vhost on 443 even though
        # the listener is mod_nss. This then crashes the httpd as mod_nss
@ -541,8 +548,7 @@ class HTTPInstance(service.Service):
                root_logger.debug(error)

        installutils.remove_keytab(self.keytab)
-        installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD,
-                                   run_as=self.service_user)
+        installutils.remove_file(paths.HTTP_CCACHE)

        # Remove the configuration files we create
        installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@ -141,7 +141,7 @@ class Backup(admintool.AdminTool):
        paths.OPENLDAP_LDAP_CONF,
        paths.LIMITS_CONF,
        paths.HTTPD_PASSWORD_CONF,
-        paths.IPA_KEYTAB,
+        paths.HTTP_KEYTAB,
        paths.HTTPD_IPA_KDCPROXY_CONF,
        paths.HTTPD_IPA_PKI_PROXY_CONF,
        paths.HTTPD_IPA_REWRITE_CONF,
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@ -413,7 +413,7 @@ class Restore(admintool.AdminTool):
                self.log.info('Restarting SSSD')
                sssd = services.service('sssd', api)
                sssd.restart()
-                http.remove_httpd_ccache()
+                http.remove_httpd_ccaches()
        finally:
            try:
                os.chdir(cwd)
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@ -1431,6 +1431,14 @@ def update_ipa_httpd_service_conf(http):
    http.update_httpd_service_ipa_conf()


+def update_http_keytab(http):
+    root_logger.info('[Moving HTTPD service keytab to gssproxy]')
+    if os.path.exists(paths.OLD_IPA_KEYTAB):
+        shutil.move(paths.OLD_IPA_KEYTAB, http.keytab)
+    pent = pwd.getpwnam(http.keytab_user)
+    os.chown(http.keytab, pent.pw_uid, pent.pw_gid)
+
+
 def ds_enable_sidgen_extdom_plugins(ds):
    """For AD trust agents, make sure we enable sidgen and extdom plugins
    """
@ -1629,6 +1637,8 @@ def upgrade_configuration():
    update_mod_nss_cipher_suite(http)
    fix_trust_flags()
    export_kra_agent_pem()
+    update_http_keytab(http)
+    http.configure_gssproxy()
    http.start()

    uninstall_selfsign(ds, http)
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@ -166,6 +166,7 @@ class Service(object):
        self.dercert = None
        self.api = api
        self.service_user = service_user
+        self.keytab_user = service_user
        self.dm_password = None  # silence pylint
        self.promote = False

@ -584,7 +585,7 @@ class Service(object):
        self._add_service_principal()
        self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)

-        pent = pwd.getpwnam(self.service_user)
+        pent = pwd.getpwnam(self.keytab_user)
        os.chown(self.keytab, pent.pw_uid, pent.pw_gid)


--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@ -474,7 +474,7 @@ def establish_trust_with_ad(master, ad_domain, extra_args=()):
    """

    # Force KDC to reload MS-PAC info by trying to get TGT for HTTP
-    master.run_command(['kinit', '-kt', paths.IPA_KEYTAB,
+    master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB,
                        'HTTP/%s' % master.hostname])
    master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
    master.run_command(['kdestroy', '-A'])
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@ -1169,7 +1169,7 @@ class TestIPACommands(CALessBase):
                                 '--certificate', self.client_pem])
        self.master.run_command(['ipa-getkeytab', '-s', self.master.hostname,
                                 '-p' "host/%s" % self.test_hostname,
-                                 '-k', paths.IPA_KEYTAB])
+                                 '-k', paths.HTTP_KEYTAB])
        try:
            yield
        finally:
@ -1186,7 +1186,7 @@ class TestIPACommands(CALessBase):
            self.master.run_command(['ipa-getkeytab', '-s',
                                     self.master.hostname,
                                     '-p', self.test_service,
-                                     '-k', paths.IPA_KEYTAB])
+                                     '-k', paths.HTTP_KEYTAB])
            yield

    def test_service_mod_doesnt_revoke(self):
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@ -334,7 +334,7 @@ class TestNonexternalTrustWithSubdomain(ADTrustSubdomainBase):
    """
    def test_establish_trust(self):
        """ Tests establishing non-external trust with Active Directory """
-        self.master.run_command(['kinit', '-kt', paths.IPA_KEYTAB,
+        self.master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB,
                                 'HTTP/%s' % self.master.hostname])
        self.master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
        self.master.run_command(['kdestroy', '-A'])
@ -401,7 +401,7 @@ class TestNonexternalTrustWithTreedomain(ADTrustTreedomainBase):
    """
    def test_establish_trust(self):
        """ Tests establishing non-external trust with Active Directory """
-        self.master.run_command(['kinit', '-kt', paths.IPA_KEYTAB,
+        self.master.run_command(['kinit', '-kt', paths.HTTP_KEYTAB,
                                 'HTTP/%s' % self.master.hostname])
        self.master.run_command(['systemctl', 'restart', 'krb5kdc.service'])
        self.master.run_command(['kdestroy', '-A'])