On 07/05/2014 05:12 PM, Simo Sorce wrote:
On Sat, 2014-07-05 at 15:01 +0200, Rob Verduijn wrote:

I've set up host that mounts a kerberized nfs4 homedrive.
This all works fine, however when logging in remotely with a user
using ssh the kerberos ticket is not set for that user.
This requires either manually doing kinit or setting the
GSSAPIDelegateCredentials yes in either .ssh config or in the

My issue is that
Host  *.some.domain
    GSSAPIDelegateCredentials yes

In the user config or even in the global config is not a very clever
thing to do since that would imply that the kerberos credentials would
be provided to every  system that the user would ssh to in the
some.domain network.

Is there a clever way to do this in freeipa
like an adition to host based access, ie send the
GSSAPIDelegateCredentials only for these hosts when using ssh?
Unfortunately there is not.


What potentially can be done in this case is:

1) Use GSSAPI to log into this host.
2) Identify which kerberized services user needs to be able to use once he logs into the system (NFS, ldap, cups, etc.)
3) Use GSSAPI for access to these services (if possible)
4) Configure GSS proxy to be used on the client side of these connections
5) Allow GSS proxy to do s4u2proxy from host ticket to the services ticket
6) Configure constrained delegation on the server side (IPA) to allow s4u2proxy. It is not exposed in UI CLI. It has to be done via ldap.

There will be dragons as I doubt this has been done but the long term plan is to make it possible.
By trying and reporting issues you would help us to make it possible sooner.
If you are interested we can drill down into more details.

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to