We enrolled a RHEL9 server (ipa client) in order to replace an old one
(Centos 7.9). Unfortunately, windows users could not access their
kerberized NFS home share.
Today I rechecked the server and saw that the "trusted for delegation"
flag was not set. (it was set on the old Centos server) I enabled it and
now it seems to work.
Was this probably just a coincidence or can it be explained somehow?
The documentation says:
OK_AS_DELEGATE
Use this flag to specify Kerberos tickets trusted for delegation.
Active directory (AD) clients check the OK_AS_DELEGATE flag on the Kerberos
ticket to
determine whether the user credentials can be forwarded or delegated to the
specific server. AD
forwards the ticket-granting ticket (TGT) only to services or hosts with
OK_AS_DELEGATE set.
With this flag, system security services daemon (SSSD) can add the AD user TGT
to the default
Kerberos credentials cache on the IdM client machine.
Is it needed that the TGT ticket can be forwarded to the server in order
to let the server fetch the NFS-Ticket needed?
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
