In our setup, a service is running on some server machine, say, "sample/servername.domain" and a client for that service is running on a workstation (using the sample gssapi client and server code from the kerberos sources). Now, what is the proper way to do this in freeipa?
1. Allow users foo and bar to log in to the workstation but to no other machine of the kerberos real. 2. Deny access to sample/servername.domain from any host except from the workstation. 3. Allow user foo access the service. 4. Deny user bar access the service. 5. Deny both users access to anything else on the server. I don't quite understand how that fits into chapter 10/19 or 31 of the "Linux Domain Identity, Authentication, and Policy Guide" for RHEL 7". Chapter 10 deals with access to freeipa internal objects, and chapter 31 describes host based access control. But how is access control done for someuser@clientmachine -> service@servermachine? Ciao Dominik ^_^ ^_^ -- Dominik Vogt _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
