Chapter 20. Managing Kerberos Flags and Principal Aliases

20.1. Kerberos Flags for Services and Hosts

You can use various Kerberos flags to define certain specific aspects of the Kerberos ticket behavior. You can add these flags to service and host Kerberos principals.
Principals in Identity Management (IdM) accept the following Kerberos flags:
Use this flag to specify Kerberos tickets trusted for delegation.
Active directory (AD) clients check the OK_AS_DELEGATE flag on the Kerberos ticket to determine whether the user credentials can be forwarded or delegated to the specific server. AD forwards the ticket-granting ticket (TGT) only to services or hosts with OK_AS_DELEGATE set. With this flag, system security services daemon (SSSD) can add the AD user TGT to the default Kerberos credentials cache on the IdM client machine.
Use this flag to specify that only pre-authenticated tickets are allowed to authenticate to the principal.
With the REQUIRES_PRE_AUTH flag set, the key distribution center (KDC) requires additional authentication: the KDC issues the TGT for a principal with REQUIRES_PRE_AUTH only if the TGT has been pre-authenticated.
You can clear REQUIRES_PRE_AUTH to disable pre-authentication for selected services or hosts, which lowers the load on the KDC but also slightly increases the possibility of a brute-force attack on a long-term key to succeed.
Use the OK_TO_AUTH_AS_DELEGATE flag to specify that the service is allowed to obtain a kerberos ticket on behalf of the user. Note, that while this is enough to perform protocol transition, in order to obtain other tickets on behalf of the user, the service needs the OK_AS_DELEGATE flag and a corresponding policy decision allowed on the key distribution center side.

20.1.1. Setting Kerberos Flags from the Web UI

  1. Select the Services subtab, accessible through the Identity main tab.
    List of Services

    Figure 20.1. List of Services

  2. Click on the service to which you want to add the flags.
  3. Check the option that you want to set. For example, to set the REQUIRES_PRE_AUTH flag, check the Requires pre-authentication option:
    Adding the REQUIRES_PRE_AUTH flag

    Figure 20.2. Adding the REQUIRES_PRE_AUTH flag

    The following table lists the names of the Kerberos flags and the corresponding name in the Web UI:

    Table 20.1. Kerberos flags' mapping in WebUI

    Kerberos flag name Web UI option
    OK_AS_DELEGATE Trusted for delegation
    REQUIRES_PRE_AUTH Requires pre-authentication
    OK_TO_AUTH_AS_DELEGATE Trusted to authenticate as user

20.1.2. Setting and Removing Kerberos Flags from the Command Line

To add a flag to a principal from the command line or to remove a flag, add one of the following options to the ipa service-mod command:
  • --ok-as-delegate for OK_AS_DELEGATE
  • --requires-pre-auth for REQUIRES_PRE_AUTH
  • --ok-to-auth-as-delegate for OK_TO_AUTH_AS_DELEGATE
To add a flag, set the corresponding option to 1. For example, to add the OK_AS_DELEGATE flag to the service/ principal:
$ ipa service-mod service/ --ok-as-delegate=1
To remove a flag or to disable it, set the corresponding option to 0. For example, to disable the REQUIRES_PRE_AUTH flag for the test/ principal:
$ ipa service-mod test/ --requires-pre-auth=0

20.1.3. Displaying Kerberos Flags from the Command Line

To find out if OK_AS_DELEGATE is currently set for a principal:
  1. Run the kvno utility.
  2. Run the klist -f command.
OK_AS_DELEGATE is represented by the O character in the klist -f output:
$ kvno test/
$ klist -f
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@EXAMPLE.COM

Valid starting		Expires			Service principal
02/19/2014 09:59:02	02/20/2014 08:21:33	test/ipa/
    Flags: FATO

Table 20.2. Abbreviations for kerberos flags

Kerberos flag name Abbreviation
To find out what flags are currently set for a principal, use the kadmin.local utility. The current flags are displayed on the Attributes line of kadmin.local output, for example:
# kadmin.local
kadmin.local: getprinc test/
Principal: test/
Expiration date: [never]
Policy: [none]