On Tue, May 30, 2017 at 11:15:02PM +0200, Ronald Wimmer via FreeIPA-users wrote: > On 2017-05-29 09:45, Sumit Bose via FreeIPA-users wrote: > > On Sat, May 27, 2017 at 05:46:57PM +0200, Ronald Wimmer via FreeIPA-users > > wrote: > >> On 2017-05-26 18:51, Sumit Bose via FreeIPA-users wrote: > >>> [...] > >>> Did you ‘Allow GSSAPI credential delegation’ in the putty configuration? > >>> Additionally the internal Windows Kerberos handling only allows > >>> delegation to host which have the ok-to-delegate flag set in the > >>> Kerberos service ticket. > >>> > >>> Please check with 'ipa host-show hostname' if 'Trusted for delegation: > >>> True', if not please try 'ipa host-mod hostname --ok-as-delegate=True'. > >> Setting the flag solved the problem. Thanks a lot. > >> > >> Can this flag be set by default for new hosts? > > As fas as I know IPA does not offer such option. Imo it would not be > > a good idea to enable it by default. Since delegation means that your > > full TGT is forwarded the target host should really be trusted because > > otherwise someone with e.g. physical access to the host might be able to > > steal the TGT and use it as long as the ticket is valid. > > > > What other options do I have if I want users connecting from Windows to > be able to use automounted home directories?
Why isn't 'ipa host-mod' sufficient? You can e.g. call it directly after ipa-client-install to the set flag is needed? bye, Sumit > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
