On Mon, Jan 07, 2013 at 09:15:41AM +0100, Han Boetes wrote:
> On Fri, Jan 4, 2013 at 6:52 PM, Sumit Bose <sb...@redhat.com> wrote:
> > About delegating credentials, you might need to set the ok_as_delegate
> > flag on the host/* service ticket. To do this you can call kadmin.local
> > on the IPA server and then use
> >
> > modprinc +ok_as_delegate host/test-server-ipa.realm@REALM
> >
> > to set the flag.
> >
> I don't know why this host would have this flag set differently from other

Does it mean there are other windows hosts where delegation already
works as expected? AFAIK the Linux OpenSSH client does not check
this flag and forwards the credentials depending on the command line
options, but it looks like putty on Windows checks this flag.

> hosts. And I get this error while trying to set or unset this flag.
> kadmin.local:  modprinc +ok_as_delegate host/ipa-w7.domain@REALM
> modify_principal: Kerberos database internal error while modifying
> "host/ipa-w7.domain@REALM
> For any other host as well BTW. I can't find anything relevant in the log
> files.

Which version of FreeIPA are you using? There are issues in older
version which prevents kadmin.local from working.


> -- 
> # Han

Freeipa-users mailing list

Reply via email to