#8927 Add a way to setup a servicedelegationrule for all hosts in domain
Opened 2 years ago by martinpitt. Modified 2 years ago

Request for enhancement

A year ago, freeipa fixed ipa servicedelegationtarget-add-member for particular host principals in isue #8289. We have a HTTP/sshclient.cockpit.lan@COCKPIT.LAN principal which is owned by cockpit running on sshclient. We want to set up delegation rules so that cockpit can create S4U tickets for a user (identified via other means, in this case a smart card) and allow this delegated ticket to be used with ssh, so that user@sshclient can ssh to sshserver with that ticket.

This gets configured like this:

ipa servicedelegationtarget-add cockpit-target
ipa servicedelegationtarget-add-member cockpit-target --principals="host/sshserver.cockpit.lan@COCKPIT.LAN"
ipa servicedelegationrule-add cockpit-delegation
ipa servicedelegationrule-add-member cockpit-delegation --principals="HTTP/sshclient.cockpit.lan@COCKPIT.LAN"
ipa servicedelegationrule-add-target cockpit-delegation --servicedelegationtargets="cockpit-target"

This is fine for a single "sshserver" host, but quickly gets out of hand if you want to talk to more hosts. Some naïve attempts fail:

ipa servicedelegationtarget-add-member cockpit-target --principals="host/*.cockpit.lan@COCKPIT.LAN"
ipa servicedelegationtarget-add-member cockpit-target --principals="host/"

Is there some way to more broadly allow delegation targets to the whole network?


No, there is no way to do so. You need to add members individually. Kerberos principals do not have any way to specify grouping by * or other symbols. There is no mechanism in KDB driver to apply pattern matching.

Thanks @abbra : Is there some different way to set up "broad" trust/delegation rules that avoids specifying host principals at all?

No. The delegation rules must be specific because they are basically granting too much power to the principals which are allowed to operate on behalf of the users.

Login to comment on this ticket.

Metadata