On 2017-05-31 10:54, Sumit Bose via FreeIPA-users wrote:
[...]
Why isn't 'ipa host-mod' sufficient? You can e.g. call it directly after
ipa-client-install to the set flag is needed?


You got me wrong. It is sufficient. My answer was referring to "Imo it would not be a good idea to enable it by default. Since delegation means that your full TGT is forwarded the target host should really be trusted because otherwise someone with e.g. physical access to the host might be able to steal the TGT and use it as long as the ticket is valid."
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to