Description
Configure chosen Kerberos flags with FreeIPA CLI.
Setup
- Install FreeIPA server (see QA:Testcase_freeipav3_installation)
How to test
Authenticate as admin:
user@server$ kinit admin Password for admin@IPA.EXAMPLE.ORG:
Acquire Kerberos host ticket for the server:
user@server$ kvno host/server.ipa.example.org host/server.ipa.example.org@IPA.EXAMPLE.ORG: kvno = 2
List Kerberos tickets including flags:
user@server$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: admin@IPA.EXAMPLE.ORG
Valid starting Expires Service principal
04/09/13 14:23:23 04/10/13 14:23:21 krbtgt/IPA.EXAMPLE.ORG@IPA.EXAMPLE.ORG
Flags: FIA
04/09/13 14:23:37 04/10/13 14:23:21 host/server.ipa.example.org@IPA.EXAMPLE.ORG
Flags: FAT
The "Flags" field of "host/server.ipa.example.org@IPA.EXAMPLE.ORG" should not include the "O" flag (uppercase O - OK_AS_DELEGATE).
Use IPA CLI to set the OK_AS_DELEGATE flag on the host:
user@server$ ipa host-mod server.ipa.example.org --ok-as-delegate 1
-------------------------------------------------
Modified host "server.ipa.example.org"
-------------------------------------------------
Host name: server.ipa.example.org
Principal name: host/server.ipa.example.org@IPA.EXAMPLE.ORG
Trusted for delegation: True
Password: False
Keytab: True
Managed by: server.ipa.example.org
Destroy Kerberos tickets:
user@server$ kdestroy
Authenticate as admin:
user@server$ kinit admin Password for admin@IPA.EXAMPLE.ORG:
Acquire Kerberos host ticket for the server:
user@server$ kvno host/server.ipa.example.org host/server.ipa.example.org@IPA.EXAMPLE.ORG: kvno = 2
List Kerberos tickets including flags:
user@server$ klist -f Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: admin@IPA.EXAMPLE.ORG Valid starting Expires Service principal 04/09/13 14:29:28 04/10/13 14:29:26 krbtgt/IPA.EXAMPLE.ORG@IPA.EXAMPLE.ORG Flags: FIA 04/09/13 14:29:58 04/10/13 14:29:26 host/server.ipa.example.org@IPA.EXAMPLE.ORG Flags: FATO
The "Flags" field of "host/server.ipa.example.org@IPA.EXAMPLE.ORG" should include the "O" flag now.
Use kadmin.local to clear the OK_AS_DELEGATE flag of the host:
root@server# kadmin.local -q "modify_principal -ok_as_delegate host/server.ipa.example.org" Authenticating as principal root/admin@IPA.EXAMPLE.ORG with password. Principal "host/server.ipa.example.org@IPA.EXAMPLE.ORG" modified.
Check that the flag was cleared in IPA CLI:
user@server$ ipa host-show server.ipa.example.org --all
dn: fqdn=server.ipa.example.org,cn=computers,cn=accounts,dc=ipa,dc=example,dc=org
Host name: server.ipa.example.org
Principal name: host/server.ipa.example.org@IPA.EXAMPLE.ORG
Requires pre-authentication: True
Trusted for delegation: False
Password: False
Keytab: True
Managed by: server.ipa.example.org
Managing: server.ipa.example.org
cn: server.ipa.example.org
ipauniqueid: 2f035768-a04d-11e2-a364-001a4a220470
krbextradata: AAJfCmRRcm9vdC9hZG1pbkBET00tMDczLklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NAA==
krblastpwdchange: 20130408130653Z
krblastsuccessfulauth: 20130409121123Z
krbticketflags: 128
objectclass: top, ipaobject, nshost, ipahost, ipaservice, pkiuser, krbprincipalaux, krbprincipal, krbticketpolicyaux, ieee802device
serverhostname: server
Expected Results
All the test steps should end with the specified results.