In our setup, a service is running on some server machine, say,
"sample/servername.domain" and a client for that service is
running on a workstation (using the sample gssapi client and
server code from the kerberos sources). Now, what is the proper
way to do this in freeipa?
1. Allow users foo and bar to log in to the workstation but to no
other machine of the kerberos real.
2. Deny access to sample/servername.domain from any host except
from the workstation.
3. Allow user foo access the service.
4. Deny user bar access the service.
5. Deny both users access to anything else on the server.
I don't quite understand how that fits into chapter 10/19 or 31 of
the "Linux Domain Identity, Authentication, and Policy Guide" for
RHEL 7". Chapter 10 deals with access to freeipa internal
objects, and chapter 31 describes host based access control. But
how is access control done for someuser@clientmachine ->
service@servermachine?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt