On 2017-05-29 09:45, Sumit Bose via FreeIPA-users wrote:
> On Sat, May 27, 2017 at 05:46:57PM +0200, Ronald Wimmer via FreeIPA-users 
> wrote:
>> On 2017-05-26 18:51, Sumit Bose via FreeIPA-users wrote:
>>> [...]
>>> Did you ‘Allow GSSAPI credential delegation’ in the putty configuration?
>>> Additionally the internal Windows Kerberos handling only allows
>>> delegation to host which have the ok-to-delegate flag set in the
>>> Kerberos service ticket.
>>> Please check with 'ipa host-show hostname' if 'Trusted for delegation:
>>> True', if not please try 'ipa host-mod hostname --ok-as-delegate=True'.
>> Setting the flag solved the problem. Thanks a lot.
>> Can this flag be set by default for new hosts?
> As fas as I know IPA does not offer such option. Imo it would not be
> a good idea to enable it by default. Since delegation means that your
> full TGT is forwarded the target host should really be trusted because
> otherwise someone with e.g. physical access to the host might be able to
> steal the TGT and use it as long as the ticket is valid.

What other options do I have if I want users connecting from Windows to
be able to use automounted home directories?

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to