#2768 [RFE] Add CLI support to change Kerberos Ticket Flags
Closed: fixed 5 years ago Opened 11 years ago by simo.

The krbTicketFlags attribute allows to change the behavior of the KDC for specific principals.
We should have a specific tool to calculate the resulting set of flags (needs to be combined with default flags when the attribute is missing from an entry) and store the flags on a per user/host basis.

Some flags may be dangerous, not sure if we should present all of them by default.
More dangerous one could be simply changed manually using --setattr.

The krbTicketFlags attribute is also currently not settable by admins, we need an ACI change to allow admins to write the attribute.


Should we make a special KDC admins role that will be able to apply these modifications instead of allowing it for all admins?

Metadata Update from @simo:
- Issue assigned to someone
- Issue set to the milestone: Ticket Backlog

7 years ago

The following flags were added in https://pagure.io/freeipa/issue/3329 and https://fedorahosted.org/freeipa/ticket/5764

--requires-pre-auth=BOOL
Pre-authentication is required for the service
--ok-as-delegate=BOOL
Client credentials may be delegated to the service
--ok-to-auth-as-delegate=BOOL
The service is allowed to authenticate on behalf of a
client

In commits 5f26d2c and 1c73ac9

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata