Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 49. Managing Kerberos flags
Kerberos flags are crucial for specifying authentication mechanisms, authorization levels, and security protocols within a Kerberos-enabled network environment. With Kerberos flags, you can ensure secure access control, protect against unauthorized access, and improve interoperability between different Kerberos implementations.
49.1. Kerberos flags for services and hosts
You can use various Kerberos flags to define specific aspects of the Kerberos ticket behavior. You can add these flags to service and host Kerberos principals.
Principals in Identity Management (IdM) accept the following Kerberos flags:
OK_AS_DELEGATE
Use this flag to specify Kerberos tickets trusted for delegation.
Active directory (AD) clients check the
OK_AS_DELEGATE
flag on the Kerberos ticket to determine whether a user credentials can be forwarded or delegated to a specific server. AD forwards the ticket-granting ticket (TGT) only to services or hosts withOK_AS_DELEGATE
configured. With this flag, system security services daemon (SSSD) can add the AD user TGT to the default Kerberos credentials cache on the IdM client machine.REQUIRES_PRE_AUTH
Use this flag to specify that only pre-authenticated tickets are allowed to authenticate to a principal.
With the
REQUIRES_PRE_AUTH
flag set, the key distribution center (KDC) requires additional authentication: the KDC issues the TGT for the principal withREQUIRES_PRE_AUTH
only if the TGT has been pre-authenticated.You can clear
REQUIRES_PRE_AUTH
to disable pre-authentication for selected services or hosts. This lowers the load on the KDC, however slightly increases the possibility of a brute-force attack on a long-term key to succeed.OK_TO_AUTH_AS_DELEGATE
Use the
OK_TO_AUTH_AS_DELEGATE
flag to specify that the service is allowed to obtain a Kerberos ticket on behalf of a user. Note, that for obtaining other tickets on behalf of the user, the service needs theOK_AS_DELEGATE
flag and a corresponding policy decision allowed on the key distribution center side.
49.2. Setting Kerberos flags from the Web UI
You can set a Kerberos flags by using the IdM Web UI. The following procedure sets the Kerberos flag to a principal.
Procedure
Select
in the menu. - Click on the service to which you want to add the flags.
Check the option that you want to set:
-
To set the
OK_AS_DELEGATE
flag, check Trusted for delegation. -
To set the
REQUIRES_PRE_AUTH
flag, check Requires pre-authentication. -
To set the
OK_TO_AUTH_AS_DELEGATE
flag, check Trusted to authenticate as user.
-
To set the
49.3. Setting and removing Kerberos flags from the command line
You can add or remove a Kerberos flag by using the command line. The ipa service-mod
command uses the following command options for the flags:
-
--ok-as-delegate
forOK_AS_DELEGATE
-
--requires-pre-auth
forREQUIRES_PRE_AUTH
-
--ok-to-auth-as-delegate
forOK_TO_AUTH_AS_DELEGATE
By setting an option value to 1
, you enable a flag for a principle. By setting an option value to 0
, you disable the flag.
The following procedure enables and disables the OK_AS_DELEGATE
flag for the service/ipa.example.com@example.com
principal.
Procedure
To add the
OK_AS_DELEGATE
flag for theservice/ipa.example.com@example.com
principle, run:$ ipa service-mod service/ipa.example.com@EXAMPLE.COM --ok-as-delegate=1
To remove the
OK_AS_DELEGATE
flag from theservice/ipa.example.com@example.com
principle, run:$ ipa service-mod service/ipa.example.com@EXAMPLE.COM --ok-as-delegate=0
49.4. Displaying Kerberos flags from the command line
You can display Kerberos flag setting by using the command line. The following procedure displays the OK_AS_DELEGATE
flag for the demo/ipa.example.com@EXAMPLE.COM
principal.
Procedure
To find out if OK_AS_DELEGATE
is set for a principal:
Run the
kvno
utility:$ kvno demo/ipa.example.com@EXAMPLE.COM
To display the flag setting, run the
klist -f
command. The0
character means that theOK_AS_DELEGATE
flag is disabled:$ klist -f Ticket cache: KEYRING:persistent:0:0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 02/19/2024 09:59:02 02/20/2024 08:21:33 demo/ipa/example.com@EXAMPLE.COM Flags: FATO