In order to allow armoring FAST for users that do not have access to a keytab it is very useful to be able to perform anonymous pkinit. At the same time though we do not want this "anonymous" user to be able to access any kerberized service. A TGS check policy in the DAL would allow us to hardcode this policy for this special principal.
Patch to KDC's ldap driver code to prevent anonymous from getting service tickets krb5-1.9-restrict-anonymous.patch
Patch was rejected upstream, however the solution for this use case will be provided in the Kerberos 1.9 release natively. We just need to configure and fdocument it properly.
To restrict anonymous tickets to use only with FAST armor, you would set the following option in the realm or in [kdcdefaults]:
restrict_anonymous_to_tgt = true }}} This this ticket from now is more an install and doc ticket.
Propose deferral as this problem will be solved later by MIT.
Waiting on KDC changes, not critical, deferring to january
Fixed in: abf4dde
Metadata Update from @simo: - Issue assigned to simo - Issue set to the milestone: FreeIPA 2.0 - 2011/01 (cleanup)
Login to comment on this ticket.