Search
SupportConsoleDevelopersStart a trialContact

Chapter 49. Managing Kerberos flags

download PDF

Kerberos flags are crucial for specifying authentication mechanisms, authorization levels, and security protocols within a Kerberos-enabled network environment. With Kerberos flags, you can ensure secure access control, protect against unauthorized access, and improve interoperability between different Kerberos implementations.

49.1. Kerberos flags for services and hosts

You can use various Kerberos flags to define specific aspects of the Kerberos ticket behavior. You can add these flags to service and host Kerberos principals.

Principals in Identity Management (IdM) accept the following Kerberos flags:

  • OK_AS_DELEGATE

    Use this flag to specify Kerberos tickets trusted for delegation.

    Active directory (AD) clients check the OK_AS_DELEGATE flag on the Kerberos ticket to determine whether a user credentials can be forwarded or delegated to a specific server. AD forwards the ticket-granting ticket (TGT) only to services or hosts with OK_AS_DELEGATE configured. With this flag, system security services daemon (SSSD) can add the AD user TGT to the default Kerberos credentials cache on the IdM client machine.

  • REQUIRES_PRE_AUTH

    Use this flag to specify that only pre-authenticated tickets are allowed to authenticate to a principal.

    With the REQUIRES_PRE_AUTH flag set, the key distribution center (KDC) requires additional authentication: the KDC issues the TGT for the principal with REQUIRES_PRE_AUTH only if the TGT has been pre-authenticated.

    You can clear REQUIRES_PRE_AUTH to disable pre-authentication for selected services or hosts. This lowers the load on the KDC, however slightly increases the possibility of a brute-force attack on a long-term key to succeed.

  • OK_TO_AUTH_AS_DELEGATE

    Use the OK_TO_AUTH_AS_DELEGATE flag to specify that the service is allowed to obtain a Kerberos ticket on behalf of a user. Note, that for obtaining other tickets on behalf of the user, the service needs the OK_AS_DELEGATE flag and a corresponding policy decision allowed on the key distribution center side.

49.2. Setting Kerberos flags from the Web UI

You can set a Kerberos flags by using the IdM Web UI. The following procedure sets the Kerberos flag to a principal.

Procedure

  1. Select Identity Services in the menu.

    List of services

  2. Click on the service to which you want to add the flags.

  3. Check the option that you want to set:

    • To set the OK_AS_DELEGATE flag, check Trusted for delegation.
    • To set the REQUIRES_PRE_AUTH flag, check Requires pre-authentication.
    • To set the OK_TO_AUTH_AS_DELEGATE flag, check Trusted to authenticate as user.

49.3. Setting and removing Kerberos flags from the command line

You can add or remove a Kerberos flag by using the command line. The ipa service-mod command uses the following command options for the flags:

  • --ok-as-delegate for OK_AS_DELEGATE
  • --requires-pre-auth for REQUIRES_PRE_AUTH
  • --ok-to-auth-as-delegate for OK_TO_AUTH_AS_DELEGATE

By setting an option value to 1, you enable a flag for a principle. By setting an option value to 0, you disable the flag.

The following procedure enables and disables the OK_AS_DELEGATE flag for the service/ipa.example.com@example.com principal.

Procedure

  • To add the OK_AS_DELEGATE flag for the service/ipa.example.com@example.com principle, run: 

    $ ipa service-mod service/ipa.example.com@EXAMPLE.COM --ok-as-delegate=1

  • To remove the OK_AS_DELEGATE flag from the service/ipa.example.com@example.com principle, run: 

    $ ipa service-mod service/ipa.example.com@EXAMPLE.COM --ok-as-delegate=0

49.4. Displaying Kerberos flags from the command line

You can display Kerberos flag setting by using the command line. The following procedure displays the OK_AS_DELEGATE flag for the demo/ipa.example.com@EXAMPLE.COM principal.

Procedure

To find out if OK_AS_DELEGATE is set for a principal:

  1. Run the kvno utility: 

    $ kvno demo/ipa.example.com@EXAMPLE.COM

  2. To display the flag setting, run the klist -f command. The 0 character means that the OK_AS_DELEGATE flag is disabled: 

    $ klist -f
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@EXAMPLE.COM

Valid starting		Expires			Service principal
02/19/2024 09:59:02	02/20/2024 08:21:33	demo/ipa/example.com@EXAMPLE.COM
    Flags: FATO
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.