freeipa/ipalib
Alexander Bokovoy b8b46779dc rpcserver: fallback to non-armored kinit in case of trusted domains
MIT Kerberos implements FAST negotiation as specified in RFC 6806
section 11. The implementation relies on the caller to provide a hint
whether FAST armoring must be used.

FAST armor can only be used when both client and KDC have a shared
secret. When KDC is from a trusted domain, there is no way to have a
shared secret between a generic Kerberos client and that KDC.

[MS-KILE] section 3.2.5.4 'Using FAST When the Realm Supports FAST'
allows KILE clients (Kerberos clients) to have local settings that
direct it to enforce use of FAST. This is equal to the current
implementation of 'kinit' utility in MIT Kerberos requiring to use FAST
if armor cache (option '-T') is provided.

[MS-KILE] section 3.3.5.7.4 defines a way for a computer from a
different realm to use compound identity TGS-REQ to create FAST TGS-REQ
explicitly armored with the computer's TGT. However, this method is not
available to IPA framework as we don't have access to the IPA server's
host key. In addition, 'kinit' utility does not support this method.

Active Directory has a policy to force use of FAST when client
advertizes its use. Since we cannot know in advance whether a principal
to obtain initial credentials for belongs to our realm or to a trusted
one due to enterprise principal canonicalization, we have to try to
kinit. Right now we fail unconditionally if FAST couldn't be used and
libkrb5 communication with a KDC from the user realm (e.g. from a
trusted forest) causes enforcement of a FAST.

In the latter case, as we cannot use FAST anyway, try to kinit again
without advertizing FAST. This works even in the situations when FAST
enforcement is enabled on Active Directory side: if client doesn't
advertize FAST capability, it is not required. Additionally, FAST cannot
be used for any practical need for a trusted domain's users yet.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-10-30 12:48:22 -04:00
..
install Faster certmonger wait_for_request() 2020-09-30 09:52:08 +02:00
__init__.py pylint: Clean up comment 2020-02-12 18:08:32 +02:00
aci.py De-duplicate ACI attributes and permissions 2020-09-14 09:15:59 +03:00
backend.py Fix Pylint 2.0 violations 2018-07-14 12:04:19 +02:00
base.py Py3: Replace six.string_types with str 2018-09-27 16:11:18 +02:00
capabilities.py Replace LooseVersion 2016-11-24 15:46:40 +01:00
cli.py Make tab completion in console more useful 2020-07-07 12:36:10 +02:00
config.py Fix detection logic for api.env.in_tree 2020-05-14 18:16:20 +02:00
constants.py Easier to use ipa_gethostfqdn() 2020-10-26 17:11:19 +11:00
crud.py ipalib, ipaserver: fix incorrect API.register calls in docstrings 2016-05-25 16:06:26 +02:00
dns.py dnsrecord-mod: allow to modify ttl without passing the record 2019-07-01 09:16:21 +02:00
errors.py rpcserver: fallback to non-armored kinit in case of trusted domains 2020-10-30 12:48:22 -04:00
facts.py Fall back to old server installation detection when needed 2020-08-18 11:11:26 +02:00
frontend.py Add __signature__ to plugins 2020-07-07 12:36:10 +02:00
krb_utils.py Allow login to WebUI using Kerberos aliases/enterprise principals 2017-03-08 15:56:11 +01:00
Makefile.am Build: Makefiles for Python packages 2016-11-09 13:08:32 +01:00
messages.py Handle missing LWCA certificate or chain 2019-06-18 10:36:24 +10:00
misc.py Add fix for ipa plugins command 2017-02-17 10:22:07 +01:00
output.py Generate same API.txt under Python 2 and 3 2018-02-15 09:41:30 +01:00
parameters.py Add __signature__ to plugins 2020-07-07 12:36:10 +02:00
pkcs10.py Remove pkcs10 module contents 2017-10-25 09:46:41 +02:00
plugable.py cli: When parsing options require name/value pairs 2020-08-25 10:31:19 -04:00
request.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
rpc.py Define errors_by_code in ipalib.errors 2020-06-29 12:03:16 +10:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Add helpers for resolve1 and nameservers 2020-09-23 16:44:26 +02:00
sysrestore.py Address legacy pylint issues in sysrestore.py 2020-08-07 16:44:28 -04:00
text.py Create ipasphinx package for Sphinx plugins 2020-04-28 20:03:21 +02:00
util.py dnspython: Add compatibility shim 2020-08-31 09:46:03 +03:00
x509.py ra.get_certificate: use REST API 2020-06-30 16:18:21 +02:00