In some cases a NFS client (a web server, an HPC node, a cluster, ..)
may need long term access to a secure NFS share. However user may not
want to have to keep logging into the server regularly just to make sure
their cron jobs don't fail.
If the machine is trusted by admins then they can give the machine
permission to perform s4u2self and then s4u2proxy operations to
impersonate users.
The new impersonate = yes options does exactly that. It uses whatever
keytab is provided the cred_store to perform a s4u2self operation to get
a ticket to itself on behalf of he user connecting (either specified by
a trusted client or derived from the uid for allow_any_uid enabled
services), then it turns around and asks for a ticket for the target
service.
Both operations will need to be allowed by the KDC (normally neither is)
so they require the KDC admins collaboration to allow impersonation.
These patches have been tested using manual configuration of a FreeIPA
domain to allow constrained delegation operations, however they work
only if the patch for this [1] bug is applied to the kerberos libraries.
The patch is scheduled to be released in MIT 1.11.4 and 1.12
This resolves ticket #95
Simo.
[1]
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7706
--
Simo Sorce * Red Hat, Inc * New York