[Freeipa-users] GSSAPIDelegateCredentials yes

[Dmitri Pal]

On 07/05/2014 05:12 PM, Simo Sorce wrote:
> On Sat, 2014-07-05 at 15:01 +0200, Rob Verduijn wrote:
>> Hello,
>>
>> I've set up host that mounts a kerberized nfs4 homedrive.
>> This all works fine, however when logging in remotely with a user
>> using ssh the kerberos ticket is not set for that user.
>> This requires either manually doing kinit or setting the
>> GSSAPIDelegateCredentials yes in either .ssh config or in the
>> /etc/ssh.
>>
>> My issue is that
>> Host  *.some.domain
>>     GSSAPIDelegateCredentials yes
>>
>> In the user config or even in the global config is not a very clever
>> thing to do since that would imply that the kerberos credentials would
>> be provided to every  system that the user would ssh to in the
>> some.domain network.
>>
>> Is there a clever way to do this in freeipa
>> like an adition to host based access, ie send the
>> GSSAPIDelegateCredentials only for these hosts when using ssh?
> Unfortunately there is not.
>
> Simo.
>
What potentially can be done in this case is:

1) Use GSSAPI to log into this host.
2) Identify which kerberized services user needs to be able to use once 
he logs into the system (NFS, ldap, cups, etc.)
3) Use GSSAPI for access to these services (if possible)
4) Configure GSS proxy to be used on the client side of these connections
5) Allow GSS proxy to do s4u2proxy from host ticket to the services ticket
6) Configure constrained delegation on the server side (IPA) to allow 
s4u2proxy. It is not exposed in UI CLI. It has to be done via ldap.

There will be dragons as I doubt this has been done but the long term 
plan is to make it possible.
By trying and reporting issues you would help us to make it possible sooner.
If you are interested we can drill down into more details.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.