Hello, Sorry for the delay, I was rather busy the past few days.
Well I must say it sounds interesting, I will need to read up on s4u2proxy, but I'm very interested to see where this leads to. Rob 2014-07-11 22:39 GMT+02:00 Dmitri Pal <d...@redhat.com>: > On 07/05/2014 05:12 PM, Simo Sorce wrote: >> >> On Sat, 2014-07-05 at 15:01 +0200, Rob Verduijn wrote: >>> >>> Hello, >>> >>> I've set up host that mounts a kerberized nfs4 homedrive. >>> This all works fine, however when logging in remotely with a user >>> using ssh the kerberos ticket is not set for that user. >>> This requires either manually doing kinit or setting the >>> GSSAPIDelegateCredentials yes in either .ssh config or in the >>> /etc/ssh. >>> >>> My issue is that >>> Host *.some.domain >>> GSSAPIDelegateCredentials yes >>> >>> In the user config or even in the global config is not a very clever >>> thing to do since that would imply that the kerberos credentials would >>> be provided to every system that the user would ssh to in the >>> some.domain network. >>> >>> Is there a clever way to do this in freeipa >>> like an adition to host based access, ie send the >>> GSSAPIDelegateCredentials only for these hosts when using ssh? >> >> Unfortunately there is not. >> >> Simo. >> > What potentially can be done in this case is: > > 1) Use GSSAPI to log into this host. > 2) Identify which kerberized services user needs to be able to use once he > logs into the system (NFS, ldap, cups, etc.) > 3) Use GSSAPI for access to these services (if possible) > 4) Configure GSS proxy to be used on the client side of these connections > 5) Allow GSS proxy to do s4u2proxy from host ticket to the services ticket > 6) Configure constrained delegation on the server side (IPA) to allow > s4u2proxy. It is not exposed in UI CLI. It has to be done via ldap. > > There will be dragons as I doubt this has been done but the long term plan > is to make it possible. > By trying and reporting issues you would help us to make it possible sooner. > If you are interested we can drill down into more details. > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
