10:46 a.m.
On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
Is it possible to set this flag by default for all new IPA hosts?
I checked the code and there is no way to set it by default. You have to
explicitly specify --ok-as-delegate=true when adding hosts and services.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
10:58 a.m.
On 01.10.20 17:46, Alexander Bokovoy wrote:
On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
> Is it possible to set this flag by default for all new IPA hosts?
I checked the code and there is no way to set it by default. You have to
explicitly specify --ok-as-delegate=true when adding hosts and services.
Host are added and enrolled by issuing the ipa-client-install command
which does not seem to have a flag for this. So my only chance is to do
a host-mod afterwards?
Cheers,
Ronald
11:10 a.m.
On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
On 01.10.20 17:46, Alexander Bokovoy wrote:
>On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
>>Is it possible to set this flag by default for all new IPA hosts?
>
>I checked the code and there is no way to set it by default. You have to
>explicitly specify --ok-as-delegate=true when adding hosts and services.
Host are added and enrolled by issuing the ipa-client-install command
which does not seem to have a flag for this. So my only chance is to
do a host-mod afterwards?
Yes, without modifications.
Alternatively, you can add a small plugin that modifies default flags
for both services and hosts.
# cat /usr/lib/python3.8/site-packages/ipaserver/plugins/service_change_defaults.py
from . import service
service._ticket_flags_default |= service._ticket_flags_map['ipakrbokasdelegate']
# systemctl restart httpd
# kinit admin
Password for admin(a)IPA.TEST:
# ipa dnsrecord-add ipa.test client --a-rec 10.10.10.10
Record name: client
A record: 10.10.10.10
# ipa host-add client.ipa.test
----------------------------
Added host "client.ipa.test"
----------------------------
Host name: client.ipa.test
Principal name: host/client.ipa.test(a)IPA.TEST
Principal alias: host/client.ipa.test(a)IPA.TEST
Password: False
Keytab: False
Managed by: client.ipa.test
# ipa host-show client.ipa.test --all|grep Trusted
Trusted for delegation: True
Trusted to authenticate as user: False
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
4:05 a.m.
On 01.10.20 18:10, Alexander Bokovoy wrote:
On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
> On 01.10.20 17:46, Alexander Bokovoy wrote:
>> On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
>>> Is it possible to set this flag by default for all new IPA hosts?
>>
>> I checked the code and there is no way to set it by default. You have to
>> explicitly specify --ok-as-delegate=true when adding hosts and services.
>
> Host are added and enrolled by issuing the ipa-client-install command
> which does not seem to have a flag for this. So my only chance is to
> do a host-mod afterwards?
Yes, without modifications.
Alternatively, you can add a small plugin that modifies default flags
for both services and hosts.
[..]
Thanks. That sounds interesting. I havent written an IPA plugin so far
but I will definitely do so now.
Cheers,
Ronald
4:24 p.m.
On Thu, Oct 1, 2020 at 12:59 PM Ronald Wimmer via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
On 01.10.20 17:46, Alexander Bokovoy wrote:
> On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
>> Is it possible to set this flag by default for all new IPA hosts?
>
> I checked the code and there is no way to set it by default. You have to
> explicitly specify --ok-as-delegate=true when adding hosts and services.
Host are added and enrolled by issuing the ipa-client-install command
which does not seem to have a flag for this. So my only chance is to do
a host-mod afterwards?
If you are willing to use Ansible, with ansible-freeipa you can use a
playbook like:
```
- name: Add hosts
hosts: ipaserver
tasks:
- name: Add host with ok_as_delegate.
ipahost:
ipaadmin_password: SomeADMINpassword
name: client.ipa.test
ip_address: 10.10.10.10
update_dns: yes
ok_as_delegate: yes
```
After that:
# ipa host-show client --all | grep Trusted
Trusted for delegation: True
Trusted to authenticate as user: False
Rafael
--
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat
1295
days inactive
1296
days old
freeipa-users@lists.fedorahosted.org
5 comments
3 participants
participants (3)
-
Alexander Bokovoy -
Rafael Jeffman -
Ronald Wimmer