On Mon, Jan 07, 2013 at 05:00:09PM +0100, Han Boetes wrote: > I just had a long and fruitfull debugging session with Sumit and this is > what we discovered.
Thank you for your patience and help to debug this issue. > > The default settings do run fine for linux machines but for windows hosts > they do not suffice. Sumit is submitting bug reports and hopefully they > will be applied to the next 2.2.x release. This problem does not exist with > version 3.x > > The workaround for 2.2.x releases is: > > For any target machine you want to enable forwarding tickets which have to > be accessible with putty you will have to add the ok_as_delegate flag. To > do that run the following commands on the ipa-server: > > # ipa host-mod --addattr='objectclass=krbTicketPolicyAux' > destinationhost.domain Ticket https://fedorahosted.org/freeipa/ticket/3328 covers the missing objectclass. > # kadmin.local -q 'modprinc +ok_as_delegate > host/destinationhost.domain@REALM' https://fedorahosted.org/freeipa/ticket/3329 is a RFE to think about how we want to handle this flag (and maybe Kerberos flags in general). bye, Sumit > > So far I working tickets on the destination machine if I used centrify > putty to log in. This didn't work with the stock version of putty allas. > > > > # Han _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users