From 15da0d16e99f5c6956f1ed687cc3cffdade83cb5 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Fri, 31 Mar 2017 14:14:11 +0200
Subject: [PATCH] Use only anonymous PKINIT to fetch armor ccache

Since the anonymous principal can only use PKINIT to fetch credential
cache it makes no sense to try and use its kerberos key to establish
FAST channel.

We should also be able to use custom PKINIT anchor for the armoring.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
---
 ipalib/install/kinit.py | 30 +++++++++++++-----------------
 1 file changed, 13 insertions(+), 17 deletions(-)

diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
index 1e4d1a82fdefe968db13c3847b9b37b3b3f75d6f..fb6caee4d6b5fef27b53753b21ad83572da31ac4 100644
--- a/ipalib/install/kinit.py
+++ b/ipalib/install/kinit.py
@@ -7,7 +7,6 @@ import time
 
 import gssapi
 
-from ipalib.constants import ANON_USER
 from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import root_logger
 from ipapython.ipautil import run
@@ -97,29 +96,26 @@ def kinit_password(principal, password, ccache_name, config=None,
         raise RuntimeError(result.error_output)
 
 
-def kinit_armor(ccache_name):
+def kinit_armor(ccache_name, pkinit_anchor=None):
     """
-    perform kinit to obtain anonymous ticket to be used as armor for FAST.
+    perform anonymous pkinit to obtain anonymous ticket to be used as armor
+    for FAST.
+
+    :param ccache_name: location of the armor ccache
+    :param pkinit_anchor: if not None, the location of PKINIT anchor file to
+        use. Otherwise the value from Kerberos client library configuration is
+        used
+
+    :raises: CalledProcessError if the anonymous PKINIT fails
     """
     root_logger.debug("Initializing anonymous ccache")
 
     env = {'LC_ALL': 'C'}
-    # try with the keytab first and then again fallback to try with pkinit in
-    # case someone decided it is fun to remove Anonymous keys from the entry
-    # or in future pkinit enabled principal enforce the use of pkinit
-    try:
-        # Gssapi does not understand anonymous cred use kinit command instead
-        args = [paths.KINIT, '-k', '-t', paths.ANON_KEYTAB,
-                ANON_USER, '-c', ccache_name]
-        run(args, env=env, raiseonerr=True, capture_error=True)
-        return
-    except Exception as e:
-        root_logger.debug("Failed to init Anonymous keytab: %s", e,
-                          exc_info=True)
-
-    root_logger.debug("Fallback to slower Anonymous PKINIT")
     args = [paths.KINIT, '-n', '-c', ccache_name]
 
+    if pkinit_anchor is not None:
+        args.extend(['-X', 'X509_anchors=FILE:{}'.format(pkinit_anchor)])
+
     # this workaround enables us to capture stderr and put it
     # into the raised exception in case of unsuccessful authentication
     run(args, env=env, raiseonerr=True, capture_error=True)
-- 
2.12.2