On Mon, Jan 07, 2013 at 05:00:09PM +0100, Han Boetes wrote:
> I just had a long and fruitfull debugging session with Sumit and this is
> what we discovered.

Thank you for your patience and help to debug this issue.

> The default settings do run fine for linux machines but for windows hosts
> they do not suffice. Sumit is submitting bug reports and hopefully they
> will be applied to the next 2.2.x release. This problem does not exist with
> version 3.x
> The workaround for 2.2.x releases is:
> For any target machine you want to enable forwarding tickets which have to
> be accessible with putty you will have to add the ok_as_delegate flag. To
> do that run the following commands on the ipa-server:
> # ipa host-mod --addattr='objectclass=krbTicketPolicyAux'
> destinationhost.domain

Ticket https://fedorahosted.org/freeipa/ticket/3328 covers the missing

> # kadmin.local -q 'modprinc +ok_as_delegate
> host/destinationhost.domain@REALM'

https://fedorahosted.org/freeipa/ticket/3329 is a RFE to think about
how we want to handle this flag (and maybe Kerberos flags in general).


> So far I working tickets on the destination machine if I used centrify
> putty to log in. This didn't work with the stock version of putty allas.
> # Han

Freeipa-users mailing list

Reply via email to