Re: [Freeipa-users] GSSAPIDelegateCredentials yes
Hello, Sorry for the delay, I was rather busy the past few days. Well I must say it sounds interesting, I will need to read up on s4u2proxy, but I'm very interested to see where this leads to. Rob 2014-07-11 22:39 GMT+02:00 Dmitri Pal d...@redhat.com: On 07/05/2014 05:12 PM, Simo Sorce wrote: On Sat, 2014-07-05 at 15:01 +0200, Rob Verduijn wrote: Hello, I've set up host that mounts a kerberized nfs4 homedrive. This all works fine, however when logging in remotely with a user using ssh the kerberos ticket is not set for that user. This requires either manually doing kinit or setting the GSSAPIDelegateCredentials yes in either .ssh config or in the /etc/ssh. My issue is that Host *.some.domain GSSAPIDelegateCredentials yes In the user config or even in the global config is not a very clever thing to do since that would imply that the kerberos credentials would be provided to every system that the user would ssh to in the some.domain network. Is there a clever way to do this in freeipa like an adition to host based access, ie send the GSSAPIDelegateCredentials only for these hosts when using ssh? Unfortunately there is not. Simo. What potentially can be done in this case is: 1) Use GSSAPI to log into this host. 2) Identify which kerberized services user needs to be able to use once he logs into the system (NFS, ldap, cups, etc.) 3) Use GSSAPI for access to these services (if possible) 4) Configure GSS proxy to be used on the client side of these connections 5) Allow GSS proxy to do s4u2proxy from host ticket to the services ticket 6) Configure constrained delegation on the server side (IPA) to allow s4u2proxy. It is not exposed in UI CLI. It has to be done via ldap. There will be dragons as I doubt this has been done but the long term plan is to make it possible. By trying and reporting issues you would help us to make it possible sooner. If you are interested we can drill down into more details. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] GSSAPIDelegateCredentials yes
On 07/05/2014 05:12 PM, Simo Sorce wrote: On Sat, 2014-07-05 at 15:01 +0200, Rob Verduijn wrote: Hello, I've set up host that mounts a kerberized nfs4 homedrive. This all works fine, however when logging in remotely with a user using ssh the kerberos ticket is not set for that user. This requires either manually doing kinit or setting the GSSAPIDelegateCredentials yes in either .ssh config or in the /etc/ssh. My issue is that Host *.some.domain GSSAPIDelegateCredentials yes In the user config or even in the global config is not a very clever thing to do since that would imply that the kerberos credentials would be provided to every system that the user would ssh to in the some.domain network. Is there a clever way to do this in freeipa like an adition to host based access, ie send the GSSAPIDelegateCredentials only for these hosts when using ssh? Unfortunately there is not. Simo. What potentially can be done in this case is: 1) Use GSSAPI to log into this host. 2) Identify which kerberized services user needs to be able to use once he logs into the system (NFS, ldap, cups, etc.) 3) Use GSSAPI for access to these services (if possible) 4) Configure GSS proxy to be used on the client side of these connections 5) Allow GSS proxy to do s4u2proxy from host ticket to the services ticket 6) Configure constrained delegation on the server side (IPA) to allow s4u2proxy. It is not exposed in UI CLI. It has to be done via ldap. There will be dragons as I doubt this has been done but the long term plan is to make it possible. By trying and reporting issues you would help us to make it possible sooner. If you are interested we can drill down into more details. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] GSSAPIDelegateCredentials yes
On Sat, 2014-07-05 at 15:01 +0200, Rob Verduijn wrote: Hello, I've set up host that mounts a kerberized nfs4 homedrive. This all works fine, however when logging in remotely with a user using ssh the kerberos ticket is not set for that user. This requires either manually doing kinit or setting the GSSAPIDelegateCredentials yes in either .ssh config or in the /etc/ssh. My issue is that Host *.some.domain GSSAPIDelegateCredentials yes In the user config or even in the global config is not a very clever thing to do since that would imply that the kerberos credentials would be provided to every system that the user would ssh to in the some.domain network. Is there a clever way to do this in freeipa like an adition to host based access, ie send the GSSAPIDelegateCredentials only for these hosts when using ssh? Unfortunately there is not. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project