-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Double escape @ in realm to avoid shell interpretation #211
Conversation
From: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-kerberos-aliases "When adding or removing enterprise principal aliases, escape the @ symbol using two backslashes (\\). Otherwise, the shell interprets the @ symbol as part of the Kerberos realm name and leads to the following error: ipa: ERROR: The realm for the principal does not match the realm for this IPA server" Also mentioned in: https://www.freeipa.org/page/V4/Kerberos_principal_aliases "Be careful to escape '@' in the enterprise principal name, otherwise the framework will complain about bad realm" How to recreate and test this: 1) Deploy a recent new appliance 2) Configure ipa client using the demo environment: https://www.freeipa.org/page/Demo 3) kinit helpdesk # or any other user configured on the demo env webpage 4) Run appliance_console_cli --http-cert This recreates realm does not match error above. Apply this code change allows us to get further but fails because we're not configured to make changes such as adding aliases on the ipa server.
1371965
to
286eefb
Compare
Checked commit jrafanie@286eefb with ruby 2.6.10, rubocop 1.28.2, haml-lint 0.35.0, and yamllint |
@@ -15,7 +15,7 @@ def initialize(options = {}) | |||
options.each { |n, v| public_send("#{n}=", v) } | |||
@ca_name ||= "ipa" | |||
@realm = @realm.upcase if @realm | |||
@name ||= "#{service}/#{hostname}@#{realm}" | |||
@name ||= "#{service}/#{hostname}\\@#{realm}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If @name
is presented to the user, we might want to escape these @
later, before we run the two AwesomeSpawn.run
commands below. But for now, I think this is the surgical way to fix this.
Does this need to go back to Petrosian? |
Yes, I think so. I guess we need a new release so we can require it in petrosian. |
Can you possibly add this to the guides/external_auth documentation? It's very useful. |
Double escape @ in realm to avoid shell interpretation (cherry picked from commit c37f7bb)
Fix incomplete fix in ManageIQ#211. We have two concepts that were being shared. * kerberos principal name * service principal name getcert requires the kerberos principal name with the kerberos realm included: getcert request -K SERVICE/host@REALM ipa service-find and service-add use the service principal name, which doesn't include the kerberos realm as that's assumed based on configuration and cannot be changed without changing the configuration: ipa service-find --principal SERVICE/host This commit clarifies these differences and uses the correct mechanism for service-add, service-find, and getcert.
Fix incomplete fix in ManageIQ#211. We have two concepts that were being shared. * kerberos principal name * service principal name getcert requires the kerberos principal name with the kerberos realm included: getcert request -K SERVICE/host@REALM See https://github.com/ManageIQ/manageiq-appliance_console/blob/9ce14c3087930322bbeac0e2f5a9723d92eea71a/lib/manageiq/appliance_console/certificate.rb#L143-L149 for usage. ipa service-find and service-add use the service principal name, which doesn't include the kerberos realm as that's assumed based on configuration and cannot be changed without changing the configuration: ipa service-find --principal SERVICE/host This commit clarifies these differences and uses the correct mechanism for service-add, service-find, and getcert.
Fixed - Fix sporadic test failure [#204] - Remove MIQ specific gem source [#209] - Double escape @ in realm to avoid shell interpretation [#211] - Move gem name loader to proper namespaced location [#208] - Separate kerberos from service principal name and use correctly [#215] - Add manageiq user to allowed_uids for sssd [#220] - Remove warning about using pg_dump [#221] - Fix specs where AwesomeSpawn private interface changed [#224] - Change the Name of the CA from something to ApplianceCA [#228] - Fix YAML.load_file failing on aliases [#234] Added - Make backward compatible changes to work with repmgr13 - version 5.2.1 [#192] - Support Ruby 3.0 [#206] - Support Ruby 3.1 [#227] - Allow rails 7 gems in gemspec [#226] Changed - Update to Highline 2.1.0 [#201] - Clean up test output (highline and stdout messages) [#210] Removed - Drop Ruby 2.7 [#223]
From:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-kerberos-aliases
"When adding or removing enterprise principal aliases, escape the @ symbol using two backslashes (\). Otherwise, the shell interprets the @ symbol as part of the Kerberos realm name and leads to the following error:
ipa: ERROR: The realm for the principal does not match the realm for this IPA server"
Also mentioned in:
https://www.freeipa.org/page/V4/Kerberos_principal_aliases
"Be careful to escape '@' in the enterprise principal name, otherwise the framework will complain about bad realm"
How to recreate and test this:
This recreates realm does not match error above.
Apply this code change allows us to get further but fails because we're not configured to make changes such as adding aliases on the ipa server.