Red Hat SummitChapter 20. Managing Kerberos Flags and Principal Aliases
20.1. Kerberos Flags for Services and Hosts
Copy linkLink copied to clipboard!
You can use various Kerberos flags to define certain specific aspects of the Kerberos ticket behavior. You can add these flags to service and host Kerberos principals.
Principals in Identity Management (IdM) accept the following Kerberos flags:
OK_AS_DELEGATE- Use this flag to specify Kerberos tickets trusted for delegation.Active directory (AD) clients check the
OK_AS_DELEGATEflag on the Kerberos ticket to determine whether the user credentials can be forwarded or delegated to the specific server. AD forwards the ticket-granting ticket (TGT) only to services or hosts withOK_AS_DELEGATEset. With this flag, system security services daemon (SSSD) can add the AD user TGT to the default Kerberos credentials cache on the IdM client machine. REQUIRES_PRE_AUTH- Use this flag to specify that only pre-authenticated tickets are allowed to authenticate to the principal.With the
REQUIRES_PRE_AUTHflag set, the key distribution center (KDC) requires additional authentication: the KDC issues the TGT for a principal withREQUIRES_PRE_AUTHonly if the TGT has been pre-authenticated.You can clearREQUIRES_PRE_AUTHto disable pre-authentication for selected services or hosts, which lowers the load on the KDC but also slightly increases the possibility of a brute-force attack on a long-term key to succeed. OK_TO_AUTH_AS_DELEGATE- Use the
OK_TO_AUTH_AS_DELEGATEflag to specify that the service is allowed to obtain a kerberos ticket on behalf of the user. Note, that while this is enough to perform protocol transition, in order to obtain other tickets on behalf of the user, the service needs theOK_AS_DELEGATEflag and a corresponding policy decision allowed on the key distribution center side.
20.1.1. Setting Kerberos Flags from the Web UI
Copy linkLink copied to clipboard!
To add
OK_AS_DELEGATE, REQUIRES_PRE_AUTH, or OK_TO_AUTH_AS_DELEGATE to a principal:
- Select the Services subtab, accessible through the Identity main tab.
Figure 20.1. List of Services
- Click on the service to which you want to add the flags.
- Check the option that you want to set. For example, to set the
REQUIRES_PRE_AUTHflag, check the Requires pre-authentication option:Figure 20.2. Adding the
REQUIRES_PRE_AUTHflagThe following table lists the names of the Kerberos flags and the corresponding name in the Web UI:Expand Table 20.1. Kerberos flags' mapping in WebUI Kerberos flag name Web UI option OK_AS_DELEGATE Trusted for delegation REQUIRES_PRE_AUTH Requires pre-authentication OK_TO_AUTH_AS_DELEGATE Trusted to authenticate as user
20.1.2. Setting and Removing Kerberos Flags from the Command Line
Copy linkLink copied to clipboard!
To add a flag to a principal from the command line or to remove a flag, add one of the following options to the ipa service-mod command:
--ok-as-delegateforOK_AS_DELEGATE--requires-pre-authforREQUIRES_PRE_AUTH--ok-to-auth-as-delegateforOK_TO_AUTH_AS_DELEGATE
To add a flag, set the corresponding option to
1. For example, to add the OK_AS_DELEGATE flag to the service/ipa.example.com@EXAMPLE.COM principal:
ipa service-mod service/ipa.example.com@EXAMPLE.COM --ok-as-delegate=1
$ ipa service-mod service/ipa.example.com@EXAMPLE.COM --ok-as-delegate=1
To remove a flag or to disable it, set the corresponding option to
0. For example, to disable the REQUIRES_PRE_AUTH flag for the test/ipa.example.com@EXAMPLE.COM principal:
ipa service-mod test/ipa.example.com@EXAMPLE.COM --requires-pre-auth=0
$ ipa service-mod test/ipa.example.com@EXAMPLE.COM --requires-pre-auth=020.1.3. Displaying Kerberos Flags from the Command Line
Copy linkLink copied to clipboard!
To find out if
OK_AS_DELEGATE is currently set for a principal:
- Run the kvno utility.
- Run the klist -f command.
OK_AS_DELEGATE is represented by the O character in the klist -f output:
| Kerberos flag name | Abbreviation |
|---|---|
| OK_AS_DELEGATE | O |
| REQUIRES_PRE_AUTH | A |
| OK_TO_AUTH_AS_DELEGATE | F |
To find out what flags are currently set for a principal, use the
kadmin.local utility. The current flags are displayed on the Attributes line of kadmin.local output, for example:
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}