On Wed, May 31, 2017 at 11:07:44AM +0200, Ronald Wimmer via FreeIPA-users wrote: > On 2017-05-31 10:54, Sumit Bose via FreeIPA-users wrote: > > [...] > > Why isn't 'ipa host-mod' sufficient? You can e.g. call it directly after > > ipa-client-install to the set flag is needed? > > You got me wrong. It is sufficient. My answer was referring to "Imo it would > not be a good idea to enable it by default. Since delegation means that your > full TGT is forwarded the target host should really be trusted because > otherwise someone with e.g. physical access to the host might be able to > steal the TGT and use it as long as the ticket is valid."
Of course if you need to ticket on the target host, e.g. to automount the home directory, you should enable delegation. But it should be only enabled where needed and not by default. (There might be environments where there are only Linux servers in the IPA domain which all need this but I still think the adding the delegation flag should be a step on its own because over time all kind of systems might be added to the domain). bye, Sumit > _______________________________________________ > FreeIPA-users mailing list -- email@example.com > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org