On Tue, May 30, 2017 at 11:15:02PM +0200, Ronald Wimmer via FreeIPA-users wrote:
> On 2017-05-29 09:45, Sumit Bose via FreeIPA-users wrote:
> > On Sat, May 27, 2017 at 05:46:57PM +0200, Ronald Wimmer via FreeIPA-users 
> > wrote:
> >> On 2017-05-26 18:51, Sumit Bose via FreeIPA-users wrote:
> >>> [...]
> >>> Did you ‘Allow GSSAPI credential delegation’ in the putty configuration?
> >>> Additionally the internal Windows Kerberos handling only allows
> >>> delegation to host which have the ok-to-delegate flag set in the
> >>> Kerberos service ticket.
> >>>
> >>> Please check with 'ipa host-show hostname' if 'Trusted for delegation:
> >>> True', if not please try 'ipa host-mod hostname --ok-as-delegate=True'.
> >> Setting the flag solved the problem. Thanks a lot.
> >>
> >> Can this flag be set by default for new hosts?
> > As fas as I know IPA does not offer such option. Imo it would not be
> > a good idea to enable it by default. Since delegation means that your
> > full TGT is forwarded the target host should really be trusted because
> > otherwise someone with e.g. physical access to the host might be able to
> > steal the TGT and use it as long as the ticket is valid.
> >
> 
> What other options do I have if I want users connecting from Windows to
> be able to use automounted home directories?

Why isn't 'ipa host-mod' sufficient? You can e.g. call it directly after
ipa-client-install to the set flag is needed?

bye,
Sumit

> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to