A year ago, freeipa fixed ipa servicedelegationtarget-add-member for particular host principals in isue #8289. We have a HTTP/sshclient.cockpit.lan@COCKPIT.LAN principal which is owned by cockpit running on sshclient. We want to set up delegation rules so that cockpit can create S4U tickets for a user (identified via other means, in this case a smart card) and allow this delegated ticket to be used with ssh, so that user@sshclient can ssh to sshserver with that ticket.
ipa servicedelegationtarget-add-member
HTTP/sshclient.cockpit.lan@COCKPIT.LAN
sshclient
This gets configured like this:
ipa servicedelegationtarget-add cockpit-target ipa servicedelegationtarget-add-member cockpit-target --principals="host/sshserver.cockpit.lan@COCKPIT.LAN" ipa servicedelegationrule-add cockpit-delegation ipa servicedelegationrule-add-member cockpit-delegation --principals="HTTP/sshclient.cockpit.lan@COCKPIT.LAN" ipa servicedelegationrule-add-target cockpit-delegation --servicedelegationtargets="cockpit-target"
This is fine for a single "sshserver" host, but quickly gets out of hand if you want to talk to more hosts. Some naïve attempts fail:
ipa servicedelegationtarget-add-member cockpit-target --principals="host/*.cockpit.lan@COCKPIT.LAN" ipa servicedelegationtarget-add-member cockpit-target --principals="host/"
Is there some way to more broadly allow delegation targets to the whole network?
No, there is no way to do so. You need to add members individually. Kerberos principals do not have any way to specify grouping by * or other symbols. There is no mechanism in KDB driver to apply pattern matching.
Thanks @abbra : Is there some different way to set up "broad" trust/delegation rules that avoids specifying host principals at all?
No. The delegation rules must be specific because they are basically granting too much power to the principals which are allowed to operate on behalf of the users.
Login to comment on this ticket.