Hi Greg,
An official reply form IPA dev's might indeed be useful here.I've been at this as well for a while now, and managed to make it work for my NFS needs (automounting user homes with password-less logons).
$ ipa servicedelegationrule-show ipa-nfs-delegationDelegation name: ipa-nfs-delegationAllowed Target: ipa-nfs-delegation-targetsMember principals: host/nfsclient.dom.com@DOM.COM
$ ipa servicedelegationtarget-show ipa-nfs-delegation-targetsDelegation name: ipa-nfs-delegation-targetsMember principals: nfs/nfsserver.dom.com@DOM.COM
Only niggle here is IPA CLI didn't let me add "host/..." principal to the rule, or perhaps there's a default LDAP ACI of some sort and it requires a privilege/permission to be granted. The "ipa servicedelegationrule-add-member ..." command simply says "no such entry" for "host/..." type principals. Maybe IPA folks can comment.
I didn't want to resort to this trickery, turns out there's no reason at all to use host/, you can create a nfs-client service, and use this.I force added it to the delegation rule via LDAP instead using this ldif:
dn: cn=ipa-nfs-delegation,cn=s4u2proxy,cn=etc,dc=dom,dc=comchangetype: modifyadd: memberPrincipalmemberPrincipal: host/nfsclient.dom.com@DOM.COM
not needed, we did this for the serviceThe "nfs/..." principal can be added using CLI "ipa servicedelegationtarget-add-member ..." just fine.
3. Allow the "nfsclient" host to impersonate users:
$ ipa host-mod nfsclient.dom.com --ok-to-auth-as-delegate=true
change
4. On the "nfsclient" machine, add "impersonate = true" line in the "[service/nfs-client]" section of /etc/gssproxy/gssproxy.conf.
worked for me, thx!
5. Restart nfs/gssproxy/rpc services on client and server (it's probably just gssproxy on the client that needs a kick, but just to be sure). I was also religiously doing "sss_cache -E" for good measure, unmounting anything that got mounted, and clearing /var/lib/gssproxy/clients of all caches, to start as cleanly before each attempt at user logon. Obv make sure the user does not have an existing/valid ticket in their own cache ("kdestroy -A" as the user), otherwise it'll just mount successfully without delegation.
I think that's it, I've messed about with the config for a long time and in many places, so there's a small chance there's something else that I did and don't remember. Gssproxy config on "nfsserver" is vanilla, as are my sssd.confs and krb5.confs on both machines, can't think of much else that I might've changed for now.
according to https://lists.fedorahosted.org/archives/list/gss-proxy@lists.fedorahosted.org/thread/76QKLXFOOM5YBGKPY23V5C2GDTAUTU35/
So my IPA automount config now mounts users' home dirs on the "nfsclient", without any tickets or keytabs from users.
There's also a "krb5_principal" option available in gssproxy.conf - I tried to set that to "nfs/nfsclient@DOM.COM" in "[service/nfs-client]" section on the "nfsclient" machine, to try and force gssproxy to use that principal instead of "host/...", but it didn't seem to work, gssproxy defaults to "host/...". Possibly mis-understanding what this option is for, and possibly "host/..." is the safer/standard option? I'm assuming it's default for a reason, or maybe just operational convenience (not having to pollute /etc/krb5.keytabs with more principals than necessary).
Hope this helps.
--Thanks,
Greg Kubok.