The various changes necessary to add support for GSSAPI authenticated profile fetching have now been moved from our local dice configuration into the general lcfg area. The new support can be enabled by specifying the
LCFG_AUTH_GSSAPI macro at the start of an LCFG source profile. Most of the resources necessary are configured in the
lcfg/options/lcfg-client-gssapi.h header file but sites wanting to use this will still need a little additional configuration.
For the installer, support is enabled by setting the lcfg.kauth=1 option on the kernel command line. Those sites using the
ed/options/pxeserver.h header will automatically get a menu option which supports this mode. The installer can be be enabled for a client with something like this:
#ifdef LINUX_EL7 #ifdef LCFG_AUTH_GSSAPI !pxeclient.platforms mREPLACE(sl7,sl7kauth) !pxeclient.default_label mSUBST(sl7,sl7kauth) #endif /* GSSAPI support enabled */ #endif /* LINUX_EL7 */
It is important to note that the
lcfg-client-gssapi.h header does not remove http access for the XML profile. That could either be turned off completely for the apache virtual host or a per-client deny all rule could be put into the associated
.htaccess file. Also, the default access control for the XML profiles is based on an apache group named lcfgadmins which must be populated on the LCFG servers, for example:
!apacheconf.groups mADD(lcfgadmins) !apacheconf.members_lcfgadmins mSET( alice/admin@EXAMPLE.ORG bob/admin@EXAMPLE.ORG carol/admin@EXAMPLE.ORG )
Note that this is a list of
admin principals, this is done so the credentials can also be used to register machines in the KDC using the kdcregister tool.
As part of this work I’ve also added the necessary methods to support using kdcregister in the LCFG installer. Most sites use this and have up to now been duplicating the configuration. It can be enabled by specifying the
LCFG_OPTIONS_KERBEROS_CLIENT_REGISTER macro prior to including the
lcfg/options/kerberos-client.h header file.