From Fedora Project Wiki

Description

Configure chosen Kerberos flags with FreeIPA CLI.

Setup

  1. Install FreeIPA server (see QA:Testcase_freeipav3_installation)

How to test

Authenticate as admin:

user@server$ kinit admin
Password for admin@IPA.EXAMPLE.ORG: 

Acquire Kerberos host ticket for the server:

user@server$ kvno host/server.ipa.example.org
host/server.ipa.example.org@IPA.EXAMPLE.ORG: kvno = 2

List Kerberos tickets including flags:

user@server$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: admin@IPA.EXAMPLE.ORG

Valid starting     Expires            Service principal
04/09/13 14:23:23  04/10/13 14:23:21  krbtgt/IPA.EXAMPLE.ORG@IPA.EXAMPLE.ORG
	Flags: FIA
04/09/13 14:23:37  04/10/13 14:23:21  host/server.ipa.example.org@IPA.EXAMPLE.ORG
	Flags: FAT

The "Flags" field of "host/server.ipa.example.org@IPA.EXAMPLE.ORG" should not include the "O" flag (uppercase O - OK_AS_DELEGATE).

Use IPA CLI to set the OK_AS_DELEGATE flag on the host:

user@server$ ipa host-mod server.ipa.example.org --ok-as-delegate 1
-------------------------------------------------
Modified host "server.ipa.example.org"
-------------------------------------------------
  Host name: server.ipa.example.org
  Principal name: host/server.ipa.example.org@IPA.EXAMPLE.ORG
  Trusted for delegation: True
  Password: False
  Keytab: True
  Managed by: server.ipa.example.org

Destroy Kerberos tickets:

user@server$ kdestroy

Authenticate as admin:

user@server$ kinit admin
Password for admin@IPA.EXAMPLE.ORG:

Acquire Kerberos host ticket for the server:

user@server$ kvno host/server.ipa.example.org
host/server.ipa.example.org@IPA.EXAMPLE.ORG: kvno = 2

List Kerberos tickets including flags:

user@server$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: admin@IPA.EXAMPLE.ORG

Valid starting     Expires            Service principal
04/09/13 14:29:28  04/10/13 14:29:26  krbtgt/IPA.EXAMPLE.ORG@IPA.EXAMPLE.ORG
	Flags: FIA
04/09/13 14:29:58  04/10/13 14:29:26  host/server.ipa.example.org@IPA.EXAMPLE.ORG
	Flags: FATO

The "Flags" field of "host/server.ipa.example.org@IPA.EXAMPLE.ORG" should include the "O" flag now.

Use kadmin.local to clear the OK_AS_DELEGATE flag of the host:

root@server# kadmin.local -q "modify_principal -ok_as_delegate host/server.ipa.example.org"
Authenticating as principal root/admin@IPA.EXAMPLE.ORG with password.
Principal "host/server.ipa.example.org@IPA.EXAMPLE.ORG" modified.

Check that the flag was cleared in IPA CLI:

user@server$ ipa host-show server.ipa.example.org --all
  dn: fqdn=server.ipa.example.org,cn=computers,cn=accounts,dc=ipa,dc=example,dc=org
  Host name: server.ipa.example.org
  Principal name: host/server.ipa.example.org@IPA.EXAMPLE.ORG
  Requires pre-authentication: True
  Trusted for delegation: False
  Password: False
  Keytab: True
  Managed by: server.ipa.example.org
  Managing: server.ipa.example.org
  cn: server.ipa.example.org
  ipauniqueid: 2f035768-a04d-11e2-a364-001a4a220470
  krbextradata: AAJfCmRRcm9vdC9hZG1pbkBET00tMDczLklETS5MQUIuRU5HLkJSUS5SRURIQVQuQ09NAA==
  krblastpwdchange: 20130408130653Z
  krblastsuccessfulauth: 20130409121123Z
  krbticketflags: 128
  objectclass: top, ipaobject, nshost, ipahost, ipaservice, pkiuser, krbprincipalaux, krbprincipal, krbticketpolicyaux, ieee802device
  serverhostname: server

Expected Results

All the test steps should end with the specified results.