The krbTicketFlags attribute allows to change the behavior of the KDC for specific principals. We should have a specific tool to calculate the resulting set of flags (needs to be combined with default flags when the attribute is missing from an entry) and store the flags on a per user/host basis.
Some flags may be dangerous, not sure if we should present all of them by default. More dangerous one could be simply changed manually using --setattr.
The krbTicketFlags attribute is also currently not settable by admins, we need an ACI change to allow admins to write the attribute.
Should we make a special KDC admins role that will be able to apply these modifications instead of allowing it for all admins?
Metadata Update from @simo: - Issue assigned to someone - Issue set to the milestone: Ticket Backlog
The following flags were added in https://pagure.io/freeipa/issue/3329 and https://fedorahosted.org/freeipa/ticket/5764
--requires-pre-auth=BOOL Pre-authentication is required for the service --ok-as-delegate=BOOL Client credentials may be delegated to the service --ok-to-auth-as-delegate=BOOL The service is allowed to authenticate on behalf of a client
In commits 5f26d2c and 1c73ac9
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.