Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 37. Using constrained delegation in IdM

The constrained delegation enables one service to access other services on your behalf. You grant only limited authority for one service instead of giving full access to all your credentials.

37.1. Constrained delegation in Identity Management
Link kopieren

The Service for User to Proxy (S4U2proxy) extension provides a service that obtains a service ticket to another service on behalf of a user. This feature is known as constrained delegation. The second service is typically a proxy performing some work on behalf of the first service, under the authorization context of the user. Using constrained delegation eliminates the need for the user to delegate their full ticket-granting ticket (TGT).

Identity Management (IdM) traditionally uses the Kerberos S4U2proxy feature to allow the web server framework to obtain an LDAP service ticket on the user’s behalf. The IdM-AD trust system also uses constrained delegation to obtain a cifs principal.

You can use the S4U2proxy feature to configure a web console client to allow an IdM user that has authenticated with a smart card to achieve the following:

  • Run commands with superuser privileges on the RHEL host on which the web console service is running without being asked to authenticate again.
  • Access a remote host using SSH and access services on the host without being asked to authenticate again.

After logging in to a user account on the RHEL web console, you can connect to remote machines by using the SSH protocol. You can use the servicedelegationrule and servicedelegationtarget Ansible modules to configure the web console for the constrained delegation feature, which enables SSH connections without being asked to authenticate again.

In the example procedure, the web console session runs on the myhost.idm.example.com host and you configure it to access the remote.idm.example.com host by using SSH on behalf of the authenticated user.

Prerequisites

  • You have obtained an IdM admin ticket-granting ticket (TGT) on myhost.idm.example.com.
  • You have root access to remote.idm.example.com.
  • The host that runs the web console is a member of an IdM domain.

  • You have configured your Ansible control node to meet the following requirements:

    • You have installed the ansible-freeipa package.
    • The example assumes you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server in the ~/MyPlaybooks/ directory.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
  • The target node, that is the node on which the ansible-freeipa module runs, is part of the IdM domain as an IdM client, server, or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Store your sensitive variables in an encrypted file:

    1. Create the vault: 

      $ ansible-vault create secret.yml
New Vault password: <vault_password>
Confirm New Vault password: <vault_password>
      Copy to Clipboard Toggle word wrap

    2. After the ansible-vault create command opens an editor, enter the sensitive data in the <key>: <value> format: 

      ipaadmin_password: <admin_password>
      Copy to Clipboard Toggle word wrap
    3. Save the changes, and close the editor. Ansible encrypts the data in the vault.

  3. In the Terminal page, verify that the web console has created a Service for User to Proxy (S4U2proxy) Kerberos ticket in the user session: 

    $ klist
…
Valid starting     Expires            Service principal
05/20/25 09:19:06 05/21/25 09:19:06 HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

  4. Create a web-console-smart-card-ssh.yml playbook with the following content:

    1. Create a task that ensures the presence of a delegation target: 

      ---
- name: Playbook to create a constrained delegation target
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure servicedelegationtarget web-console-delegation-target is present
    ipaservicedelegationtarget:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web-console-delegation-target
      Copy to Clipboard Toggle word wrap

    2. Add a task that adds the target host to the delegation target: 

        - name: Ensure servicedelegationtarget web-console-delegation-target member principal host/remote.idm.example.com@IDM.EXAMPLE.COM is present
    ipaservicedelegationtarget:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web-console-delegation-target
      principal: host/remote.idm.example.com@IDM.EXAMPLE.COM
      action: member
      Copy to Clipboard Toggle word wrap

    3. Add a task that ensures the presence of a delegation rule: 

        - name: Ensure servicedelegationrule delegation-rule is present
    ipaservicedelegationrule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web-console-delegation-rule
      Copy to Clipboard Toggle word wrap

    4. Add a task that ensures that the Kerberos principal of the web console client service is a member of the constrained delegation rule: 

        - name: Ensure the Kerberos principal of the web console client service is added to the servicedelegationrule web-console-delegation-rule
    ipaservicedelegationrule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web-console-delegation-rule
      principal: HTTP/myhost.idm.example.com
      action: member
      Copy to Clipboard Toggle word wrap

    5. Add a task that ensures that the constrained delegation rule is associated with the web-console-delegation-target delegation target: 

        - name: Ensure a constrained delegation rule is associated with a specific delegation target
    ipaservicedelegationrule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: web-console-delegation-rule
      target: web-console-delegation-target
      action: member
      Copy to Clipboard Toggle word wrap

    6. Add a task that enable Kerberos authentication on remote.idm.example.com: 

        - name: Enable Kerberos authentication
    hosts: remote.idm.example.com
    vars:
      sshd_config:
        GSSAPIAuthentication: true
    roles:
      - role: rhel-system-roles.sshd
      Copy to Clipboard Toggle word wrap
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory web-console-smart-card-ssh.yml
    Copy to Clipboard Toggle word wrap

After you have logged in to a user account on the RHEL web console, as an Identity Management (IdM) system administrator you might need to run commands with superuser privileges. You can use the constrained delegation feature to run sudo on the system without being asked to authenticate again.

Follow this procedure to use the ipaservicedelegationrule and ipaservicedelegationtarget ansible-freeipa modules to configure a web console to use constrained delegation. In the example below, the web console session runs on the myhost.idm.example.com host.

Prerequisites

  • You have obtained an IdM admin ticket-granting ticket (TGT) by authenticating to the web console session with a smart card..
  • The web console service has been enrolled into IdM.
  • The myhost.idm.example.com host is present in IdM.
  • You have enabled admin sudo access to domain administrators on the IdM server.

  • The web console has created an S4U2Proxy Kerberos ticket in the user session. To verify that this is the case, log in to the web console as an IdM user, open the Terminal page, and enter: 

    $ klist
Ticket cache: FILE:/run/user/1894000001/cockpit-session-3692.ccache
Default principal: user@IDM.EXAMPLE.COM

Valid starting     Expires            Service principal
07/30/21 09:19:06 07/31/21 09:19:06 HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
07/30/21 09:19:06  07/31/21 09:19:06  krbtgt/IDM.EXAMPLE.COM@IDM.EXAMPLE.COM
        for client HTTP/myhost.idm.example.com@IDM.EXAMPLE.COM
    Copy to Clipboard Toggle word wrap

  • You have configured your Ansible control node to meet the following requirements:

    • You are using Ansible version 2.15 or later.
    • You have installed the freeipa.ansible_freeipa collection.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
  • The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. On your Ansible control node, navigate to your ~/MyPlaybooks/ directory: 

    $ cd ~/MyPlaybooks/
    Copy to Clipboard Toggle word wrap

  2. Create a web-console-smart-card-sudo.yml playbook with the following content:

    1. Create a task that ensures the presence of a delegation target: 

      ---
- name: Playbook to create a constrained delegation target
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure servicedelegationtarget named sudo-web-console-delegation-target is present
    freeipa.ansible_freeipa.ipaservicedelegationtarget:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: sudo-web-console-delegation-target
      Copy to Clipboard Toggle word wrap

    2. Add a task that adds the target host to the delegation target: 

        - name: Ensure that a member principal named host/myhost.idm.example.com@IDM.EXAMPLE.COM is present in a service delegation target named sudo-web-console-delegation-target
    freeipa.ansible_freeipa.ipaservicedelegationtarget:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: sudo-web-console-delegation-target
      principal: host/myhost.idm.example.com@IDM.EXAMPLE.COM
      action: member
      Copy to Clipboard Toggle word wrap

    3. Add a task that ensures the presence of a delegation rule: 

        - name: Ensure servicedelegationrule named sudo-web-console-delegation-rule is present
    freeipa.ansible_freeipa.ipaservicedelegationrule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: sudo-web-console-delegation-rule
      Copy to Clipboard Toggle word wrap

    4. Add a task that ensures that the Kerberos principal of the web console service is a member of the constrained delegation rule: 

        - name: Ensure the Kerberos principal of the web console service is added to the service delegation rule named sudo-web-console-delegation-rule
    freeipa.ansible_freeipa.ipaservicedelegationrule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: sudo-web-console-delegation-rule
      principal: HTTP/myhost.idm.example.com
      action: member
      Copy to Clipboard Toggle word wrap

    5. Add a task that ensures that the constrained delegation rule is associated with the sudo-web-console-delegation-target delegation target: 

        - name: Ensure a constrained delegation rule is associated with a specific delegation target
    freeipa.ansible_freeipa.ipaservicedelegationrule:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: sudo-web-console-delegation-rule
      target: sudo-web-console-delegation-target
      action: member
      Copy to Clipboard Toggle word wrap
  3. Save the file.

  4. Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file: 

    $ ansible-playbook --vault-password-file=password_file -v -i inventory web-console-smart-card-sudo.yml
    Copy to Clipboard Toggle word wrap

  5. Enable pam_sss_gss, the PAM module for authenticating users over the Generic Security Service Application Program Interface (GSSAPI) in cooperation with the System Security Services Daemon (SSSD):

    1. Open the /etc/sssd/sssd.conf file for editing.

    2. Specify that pam_sss_gss can provide authentication for the sudo and sudo -i commands in IdM your domain: 

      [domain/idm.example.com]
pam_gssapi_services = sudo, sudo-i
      Copy to Clipboard Toggle word wrap
    3. Save and exit the file.
    4. Open the /etc/pam.d/sudo file for editing.

    5. Insert the following line to the top of the #%PAM-1.0 list to allow, but not require, GSSAPI authentication for sudo commands: 

      auth sufficient pam_sss_gss.so
      Copy to Clipboard Toggle word wrap
    6. Save and exit the file.

  6. Restart the SSSD service so that the above changes take effect immediately: 

    $ systemctl restart sssd
    Copy to Clipboard Toggle word wrap
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat