Filed on behalf of Sanne from Cockpit team.
The idea is to be able to ssh into a target host as another user. So if I understand it correctly the service delegation target should be host/sshserver....
However this doesn't work via ipa servicedelegationtarget-add-member. To reproduce, in an ipa realm with 2 hosts joined:
ipa servicedelegationtarget-add-member
ipa service-add cockpitclient/sshclient.cockpit.lan@COCKPIT.LAN ipa service-add host/sshserver.cockpit.lan@COCKPIT.LAN ipa servicedelegationrule-add cockpit-delegation ipa servicedelegationtarget-add cockpit-target ipa servicedelegationrule-add-member cockpit-delegation --principals="cockpitclient/sshclient.cockpit.lan@COCKPIT.LAN" ipa servicedelegationrule-add-target cockpit-delegation --servicedelegationtargets="cockpit-target" ipa servicedelegationtarget-add-member cockpit-target --principals="host/sshserver.cockpit.lan@COCKPIT.LAN"
The last command fails, yet writing
dn: cn=cockpit-target,cn=s4u2proxy,cn=etc,dc=cockpit,dc=lan add:memberPrincipal:host/sshserver.cockpit.lan@COCKPIT.LAN
to a file and callingĀ ipa-ldap-updater does work.
ipa-ldap-updater
We need to add support to add hosts as a target which means adding --hosts option to servicedelegationtarget-add-member.
--hosts
servicedelegationtarget-add-member
PR: https://github.com/freeipa/freeipa/pull/4686
Metadata Update from @abbra: - Issue assigned to abbra
master:
ipa-4-8:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @abbra: - Custom field changelog adjusted to Service delegation commands now support managing both host and service principals. Previously only service principals were supported.
Metadata Update from @abbra: - Custom field changelog reset (from Service delegation commands now support managing both host and service principals. Previously only service principals were supported.)
Login to comment on this ticket.