From 2558a0336e9d61b2b7e321b7dfa32426151b4bbb Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Wed, 3 May 2017 06:09:03 +0000

Subject: [PATCH] server install: fix KDC PKINIT configuration

Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known

to IPA.

Make sure `cacert.pem` is exported in all installation code paths.

Use the KDC certificate itself as a PKINIT anchor in `login_password`.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

 install/restart_scripts/Makefile.am    |  1 +

 install/restart_scripts/renew_kdc_cert | 31 ++++++++++++++++++

 install/share/kdc.conf.template        |  2 ++

 ipaclient/install/ipa_certupdate.py    |  1 +

 ipalib/install/kinit.py                |  7 +++--

 ipaserver/install/krbinstance.py       | 27 +++++++++-------

 ipaserver/install/server/upgrade.py    | 57 ++++++++++++++++++++++++++--------

 ipaserver/rpcserver.py                 |  5 ++-

 8 files changed, 103 insertions(+), 28 deletions(-)

 create mode 100755 install/restart_scripts/renew_kdc_cert

diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am

index 04881b406b6be92b46e630f30d724918506e2aa8..240cebdee8cae7a0c7bdf88f5300583b4232fc94 100644

--- a/install/restart_scripts/Makefile.am

+++ b/install/restart_scripts/Makefile.am

@@ -5,6 +5,7 @@ app_DATA =                              \

 	restart_dirsrv			\

 	restart_httpd			\

 	renew_ca_cert			\

+	renew_kdc_cert			\

 	renew_ra_cert			\

 	stop_pkicad			\

 	renew_ra_cert_pre		\

diff --git a/install/restart_scripts/renew_kdc_cert b/install/restart_scripts/renew_kdc_cert

new file mode 100755

index 0000000000000000000000000000000000000000..9247920874fc9540ac3421dd59fd902cc195243f

--- /dev/null

+++ b/install/restart_scripts/renew_kdc_cert

@@ -0,0 +1,31 @@

+#!/usr/bin/python2 -E

+#

+# Copyright (C) 2017  FreeIPA Contributors see COPYING for license

+#

+

+import os

+import syslog

+import traceback

+

+from ipaplatform import services

+from ipaplatform.paths import paths

+from ipaserver.install import certs

+

+

+def main():

+    with certs.renewal_lock:

+        os.chmod(paths.KDC_CERT, 0o644)

+

+        try:

+            if services.knownservices.krb5kdc.is_running():

+                syslog.syslog(syslog.LOG_NOTICE, 'restarting krb5kdc')

+                services.knownservices.krb5kdc.restart()

+        except Exception as e:

+            syslog.syslog(

+                syslog.LOG_ERR, "cannot restart krb5kdc: {}".format(e))

+

+

+try:

+    main()

+except Exception:

+    syslog.syslog(syslog.LOG_ERR, traceback.format_exc())

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template

index ec53a1ff5f7110704143074bc7a5d1dfdc705344..306351b86111eb0e883b2398678f50b821e0ad7f 100644

--- a/install/share/kdc.conf.template

+++ b/install/share/kdc.conf.template

@@ -13,5 +13,7 @@

   default_principal_flags = +preauth

 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB

   pkinit_identity = FILE:$KDC_CERT,$KDC_KEY

+  pkinit_anchors = FILE:$KDC_CERT

   pkinit_anchors = FILE:$CACERT_PEM

+  pkinit_pool = FILE:$CA_BUNDLE_PEM

  }

diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py

index 7e8527e1fcb575844e8f4c90016435124b70e381..93da8422b6f503b8c44db678736d7f71f7d7567e 100644

--- a/ipaclient/install/ipa_certupdate.py

+++ b/ipaclient/install/ipa_certupdate.py

@@ -172,6 +172,7 @@ class CertUpdate(admintool.AdminTool):

             certmonger.modify(request_id, ca='dogtag-ipa-ca-renew-agent')

         self.update_file(paths.CA_CRT, certs)

+        self.update_file(paths.CACERT_PEM, certs)

     def update_file(self, filename, certs, mode=0o444):

         certs = (c[0] for c in certs if c[2] is not False)

diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py

index fb6caee4d6b5fef27b53753b21ad83572da31ac4..73471f103eabfe39580c8fbd0665157f635fa5c5 100644

--- a/ipalib/install/kinit.py

+++ b/ipalib/install/kinit.py

@@ -96,7 +96,7 @@ def kinit_password(principal, password, ccache_name, config=None,

         raise RuntimeError(result.error_output)

-def kinit_armor(ccache_name, pkinit_anchor=None):

+def kinit_armor(ccache_name, pkinit_anchors=None):

     """

     perform anonymous pkinit to obtain anonymous ticket to be used as armor

     for FAST.

@@ -113,8 +113,9 @@ def kinit_armor(ccache_name, pkinit_anchor=None):

     env = {'LC_ALL': 'C'}

     args = [paths.KINIT, '-n', '-c', ccache_name]

-    if pkinit_anchor is not None:

-        args.extend(['-X', 'X509_anchors=FILE:{}'.format(pkinit_anchor)])

+    if pkinit_anchors is not None:

+        for pkinit_anchor in pkinit_anchors:

+            args.extend(['-X', 'X509_anchors=FILE:{}'.format(pkinit_anchor)])

     # this workaround enables us to capture stderr and put it

     # into the raised exception in case of unsuccessful authentication

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py

index e52577bbaa15064946f9a3c9720aa40ffc3251aa..1692e0b2badb23c18386346a552c83881018cf60 100644

--- a/ipaserver/install/krbinstance.py

+++ b/ipaserver/install/krbinstance.py

@@ -20,7 +20,6 @@

 from __future__ import absolute_import

 from __future__ import print_function

-import shutil

 import os

 import pwd

 import socket

@@ -28,6 +27,8 @@ import dbus

 import dns.name

+from ipalib import x509

+from ipalib.install import certstore

 from ipaserver.install import service

 from ipaserver.install import installutils

 from ipapython import ipaldap

@@ -430,7 +431,8 @@ class KrbInstance(service.Service):

                 ca=certmonger_ca,

                 dns=self.fqdn,

                 storage='FILE',

-                profile=KDC_PROFILE)

+                profile=KDC_PROFILE,

+                post_command='renew_kdc_cert')

         except dbus.DBusException as e:

             # if the certificate is already tracked, ignore the error

             name = e.get_dbus_name()

@@ -448,17 +450,23 @@ class KrbInstance(service.Service):

         service.set_service_entry_config(

             'KDC', self.fqdn, [PKINIT_ENABLED], self.suffix)

+    def _install_pkinit_ca_bundle(self):

+        ca_certs = certstore.get_ca_certs(self.api.Backend.ldap2,

+                                          self.api.env.basedn,

+                                          self.api.env.realm,

+                                          False)

+        ca_certs = [c for c, _n, t, _u in ca_certs if t is not False]

+        x509.write_certificate_list(ca_certs, paths.CACERT_PEM)

+

     def issue_selfsigned_pkinit_certs(self):

         self._call_certmonger(certmonger_ca="SelfSign")

-        # for self-signed certificate, the certificate is its own CA, copy it

-        # as CA cert

-        shutil.copyfile(paths.KDC_CERT, paths.CACERT_PEM)

+        with open(paths.CACERT_PEM, 'w'):

+            pass

     def issue_ipa_ca_signed_pkinit_certs(self):

         try:

             self._call_certmonger()

-            # copy IPA CA bundle to the KDC's CA cert bundle

-            shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)

+            self._install_pkinit_ca_bundle()

             self.pkinit_enable()

         except RuntimeError as e:

             root_logger.error("PKINIT certificate request failed: %s", e)

@@ -473,10 +481,7 @@ class KrbInstance(service.Service):

         certs.install_key_from_p12(self.pkcs12_info[0],

                                    self.pkcs12_info[1],

                                    paths.KDC_KEY)

-        # copy IPA CA bundle to the KDC's CA cert bundle

-        # NOTE: this may not be the same set of CA certificates trusted by

-        # externally provided PKINIT cert.

-        shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)

+        self._install_pkinit_ca_bundle()

         self.pkinit_enable()

     def setup_pkinit(self):

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py

index 648dc1f29c44f89d9fbceb7b50373d93c88b5c1a..db86353165809c57d1ac27bf762393721231fefd 100644

--- a/ipaserver/install/server/upgrade.py

+++ b/ipaserver/install/server/upgrade.py

@@ -11,6 +11,7 @@ import pwd

 import fileinput

 import sys

+from augeas import Augeas

 import dns.exception

 import six

@@ -1527,19 +1528,49 @@ def setup_pkinit(krb):

         else:

             krb.issue_selfsigned_pkinit_certs()

-    # reconfigure KDC just in case in order to handle potentially broken

-    # 4.5.0 -> 4.5.1 upgrade path

-    replacevars = dict()

-    replacevars['pkinit_identity'] = 'FILE:{},{}'.format(

-        paths.KDC_CERT,paths.KDC_KEY)

-    appendvars = {}

-    ipautil.backup_config_and_replace_variables(

-        krb.fstore, paths.KRB5KDC_KDC_CONF, replacevars=replacevars,

-        appendvars=appendvars)

-    tasks.restore_context(paths.KRB5KDC_KDC_CONF)

-    if krb.is_running():

-        krb.stop()

-    krb.start()

+    aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD,

+                 loadpath=paths.USR_SHARE_IPA_DIR)

+    try:

+        aug.transform('IPAKrb5', paths.KRB5KDC_KDC_CONF)

+        aug.load()

+

+        path = '/files{}/realms/{}'.format(paths.KRB5KDC_KDC_CONF, krb.realm)

+        modified = False

+

+        value = 'FILE:{},{}'.format(paths.KDC_CERT, paths.KDC_KEY)

+        expr = '{}[count(pkinit_identity)=1][pkinit_identity="{}"]'.format(

+            path, value)

+        if not aug.match(expr):

+            aug.remove('{}/pkinit_identity'.format(path))

+            aug.set('{}/pkinit_identity'.format(path), value)

+            modified = True

+

+        for value in  ['FILE:{}'.format(paths.KDC_CERT),

+                       'FILE:{}'.format(paths.CACERT_PEM)]:

+            expr = '{}/pkinit_anchors[.="{}"]'.format(path, value)

+            if not aug.match(expr):

+                aug.set('{}/pkinit_anchors[last()+1]'.format(path), value)

+                modified = True

+

+        value = 'FILE:{}'.format(paths.CA_BUNDLE_PEM)

+        expr = '{}/pkinit_pool[.="{}"]'.format(path, value)

+        if not aug.match(expr):

+            aug.set('{}/pkinit_pool[last()+1]'.format(path), value)

+            modified = True

+

+        if modified:

+            try:

+                aug.save()

+            except IOError:

+                for error_path in aug.match('/augeas//error'):

+                    root_logger.error('augeas: %s', aug.get(error_path))

+                raise

+

+            if krb.is_running():

+                krb.stop()

+            krb.start()

+    finally:

+        aug.close()

 def disable_httpd_system_trust(http):

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py

index 996a3d29884ca0180c39841f6986abf9b23ff13a..4cde2815a0fe9332d67c84b531f573ff88b1a302 100644

--- a/ipaserver/rpcserver.py

+++ b/ipaserver/rpcserver.py

@@ -945,7 +945,10 @@ class login_password(Backend, KerberosSession):

         self.debug('Obtaining armor in ccache %s', armor_path)

         try:

-            kinit_armor(armor_path, pkinit_anchor=paths.CACERT_PEM)

+            kinit_armor(

+                armor_path,

+                pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],

+            )

         except RuntimeError as e:

             self.error("Failed to obtain armor cache")

             # We try to continue w/o armor, 2FA will be impacted

-- 

2.9.4