Bug 1419602

Summary: Kerberos flags section outdated
Product: Red Hat Enterprise Linux 7 Reporter: Aneta Šteflová Petrová <apetrova>
Component: doc-Linux_Domain_Identity_Management_GuideAssignee: Lucie Vařáková <lmanasko>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: abokovoy, lmanasko, pvoborni, rhel-docs
Target Milestone: rcKeywords: Documentation, EasyFix
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-27 09:14:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Aneta Šteflová Petrová 2017-02-06 15:12:07 UTC 
Section 28.4.1. Setting Kerberos Flags from the Web UI [1] reads:

"From the IdM web UI, you can currently only add the OK_AS_DELEGATE flag to a principal:"

This is no longer true. The other flag (REQUIRES_PRE_AUTH) is now also available in the web UI.

We need to review the Kerberos flags content and make sure it's up-to-date.

[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/kerberos-flags-services-hosts.html#kerberos-flags-ui
Comment 3 Petr Vobornik 2018-02-07 16:22:10 UTC 
IPA has 3 Kerberos ticket flags for services:

From code:
ticket_flags_params = (
    Bool('ipakrbrequirespreauth?',
        cli_name='requires_pre_auth',
        label=_('Requires pre-authentication'),
        doc=_('Pre-authentication is required for the service'),
        flags=['virtual_attribute', 'no_search'],
    ),
    Bool('ipakrbokasdelegate?',
        cli_name='ok_as_delegate',
        label=_('Trusted for delegation'),
        doc=_('Client credentials may be delegated to the service'),
        flags=['virtual_attribute', 'no_search'],
    ),
    Bool('ipakrboktoauthasdelegate?',
        cli_name='ok_to_auth_as_delegate',
        label=_('Trusted to authenticate as user'),
        doc=_('The service is allowed to authenticate on behalf of a client'),
        flags=['virtual_attribute', 'no_search'],
    ),
)

_ticket_flags_map = {
    'ipakrbrequirespreauth': 0x00000080,
    'ipakrbokasdelegate': 0x00100000,
    'ipakrboktoauthasdelegate': 0x00200000,
}


In CLI help it looks like:

  --requires-pre-auth=BOOL
                        Pre-authentication is required for the service
  --ok-as-delegate=BOOL
                        Client credentials may be delegated to the service
  --ok-to-auth-as-delegate=BOOL
                        The service is allowed to authenticate on behalf of a
                        client

Documenation doesn't list ok-to-auth-as-delegate. The Web UI screenshot shows only 1 krb flag. So the screenshot should be updated.

SME for description or purpose of the third flag is Alexander.

Same flags can be set also for host objects.