Sorry for the delay, I was rather busy the past few days.
Well I must say it sounds interesting, I will need to read up on
s4u2proxy, but I'm very interested to see where this leads to.
2014-07-11 22:39 GMT+02:00 Dmitri Pal <d...@redhat.com>:
> On 07/05/2014 05:12 PM, Simo Sorce wrote:
>> On Sat, 2014-07-05 at 15:01 +0200, Rob Verduijn wrote:
>>> I've set up host that mounts a kerberized nfs4 homedrive.
>>> This all works fine, however when logging in remotely with a user
>>> using ssh the kerberos ticket is not set for that user.
>>> This requires either manually doing kinit or setting the
>>> GSSAPIDelegateCredentials yes in either .ssh config or in the
>>> My issue is that
>>> Host *.some.domain
>>> GSSAPIDelegateCredentials yes
>>> In the user config or even in the global config is not a very clever
>>> thing to do since that would imply that the kerberos credentials would
>>> be provided to every system that the user would ssh to in the
>>> some.domain network.
>>> Is there a clever way to do this in freeipa
>>> like an adition to host based access, ie send the
>>> GSSAPIDelegateCredentials only for these hosts when using ssh?
>> Unfortunately there is not.
> What potentially can be done in this case is:
> 1) Use GSSAPI to log into this host.
> 2) Identify which kerberized services user needs to be able to use once he
> logs into the system (NFS, ldap, cups, etc.)
> 3) Use GSSAPI for access to these services (if possible)
> 4) Configure GSS proxy to be used on the client side of these connections
> 5) Allow GSS proxy to do s4u2proxy from host ticket to the services ticket
> 6) Configure constrained delegation on the server side (IPA) to allow
> s4u2proxy. It is not exposed in UI CLI. It has to be done via ldap.
> There will be dragons as I doubt this has been done but the long term plan
> is to make it possible.
> By trying and reporting issues you would help us to make it possible sooner.
> If you are interested we can drill down into more details.
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
> Manage your subscription for the Freeipa-users mailing list:
> Go To http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project