Is it possible to set this flag by default for all new IPA hosts?
Cheers, Ronald
On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
Is it possible to set this flag by default for all new IPA hosts?
I checked the code and there is no way to set it by default. You have to explicitly specify --ok-as-delegate=true when adding hosts and services.
On 01.10.20 17:46, Alexander Bokovoy wrote:
On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
Is it possible to set this flag by default for all new IPA hosts?
I checked the code and there is no way to set it by default. You have to explicitly specify --ok-as-delegate=true when adding hosts and services.
Host are added and enrolled by issuing the ipa-client-install command which does not seem to have a flag for this. So my only chance is to do a host-mod afterwards?
Cheers, Ronald
On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
On 01.10.20 17:46, Alexander Bokovoy wrote:
On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
Is it possible to set this flag by default for all new IPA hosts?
I checked the code and there is no way to set it by default. You have to explicitly specify --ok-as-delegate=true when adding hosts and services.
Host are added and enrolled by issuing the ipa-client-install command which does not seem to have a flag for this. So my only chance is to do a host-mod afterwards?
Yes, without modifications.
Alternatively, you can add a small plugin that modifies default flags for both services and hosts.
# cat /usr/lib/python3.8/site-packages/ipaserver/plugins/service_change_defaults.py from . import service
service._ticket_flags_default |= service._ticket_flags_map['ipakrbokasdelegate']
# systemctl restart httpd # kinit admin Password for admin@IPA.TEST: # ipa dnsrecord-add ipa.test client --a-rec 10.10.10.10 Record name: client A record: 10.10.10.10 # ipa host-add client.ipa.test ---------------------------- Added host "client.ipa.test" ---------------------------- Host name: client.ipa.test Principal name: host/client.ipa.test@IPA.TEST Principal alias: host/client.ipa.test@IPA.TEST Password: False Keytab: False Managed by: client.ipa.test # ipa host-show client.ipa.test --all|grep Trusted Trusted for delegation: True Trusted to authenticate as user: False
On 01.10.20 18:10, Alexander Bokovoy wrote:
On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
On 01.10.20 17:46, Alexander Bokovoy wrote:
On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
Is it possible to set this flag by default for all new IPA hosts?
I checked the code and there is no way to set it by default. You have to explicitly specify --ok-as-delegate=true when adding hosts and services.
Host are added and enrolled by issuing the ipa-client-install command which does not seem to have a flag for this. So my only chance is to do a host-mod afterwards?
Yes, without modifications.
Alternatively, you can add a small plugin that modifies default flags for both services and hosts. [..]
Thanks. That sounds interesting. I havent written an IPA plugin so far but I will definitely do so now.
Cheers, Ronald
On Thu, Oct 1, 2020 at 12:59 PM Ronald Wimmer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On 01.10.20 17:46, Alexander Bokovoy wrote:
On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
Is it possible to set this flag by default for all new IPA hosts?
I checked the code and there is no way to set it by default. You have to explicitly specify --ok-as-delegate=true when adding hosts and services.
Host are added and enrolled by issuing the ipa-client-install command which does not seem to have a flag for this. So my only chance is to do a host-mod afterwards?
If you are willing to use Ansible, with ansible-freeipa you can use a playbook like:
``` - name: Add hosts hosts: ipaserver
tasks: - name: Add host with ok_as_delegate. ipahost: ipaadmin_password: SomeADMINpassword name: client.ipa.test ip_address: 10.10.10.10 update_dns: yes ok_as_delegate: yes ```
After that:
# ipa host-show client --all | grep Trusted Trusted for delegation: True Trusted to authenticate as user: False
Rafael
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Rafael Jeffman -
Ronald Wimmer