<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 11.08.2016 18:57, Pavel Vomacka wrote: </div> <blockquote cite="mid:2c35a975-2f44-1557-7770-cba7105e580c@redhat.com" type="cite"> On 08/11/2016 02:00 PM, Petr Vobornik wrote: <blockquote type="cite">On 08/11/2016 10:54 AM, Alexander Bokovoy wrote: <blockquote type="cite">On Thu, 11 Aug 2016, Jan Cholasta wrote: <blockquote type="cite">On 4.8.2016 17:27, Jan Pazdziora wrote: <blockquote type="cite">On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote: <blockquote type="cite">Got it. One thing I would correct, though, -- don't use kadmin.local, we do support setting ok_as_delegate on the service principals via IPA CLI: $ ipa service-mod --help |grep -A1 ok-as-delegate --ok-as-delegate=BOOL 牋牋牋牋牋牋牋牋牋牋牋 Client credentials may be delegated to the service </blockquote> I've tried 牋牋 ipa service-mod --ok-as-delegate=True HTTP/$(hostname) but that does not seem to have the same effect as 牋牋 modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test -- obtaining the delegated certificated fails. </blockquote> That's because ok_as_delegate and ok_to_auth_as_delegate are different flags. </blockquote> Right. The following patch adds ok_to_auth_as_delegate to the service principal. I haven't added any tickets to it yet. </blockquote> This might deserve also nice Web UI checkbox similar to "Trusted for delegation". CCing Pavel. </blockquote> Here is patch with new checkbox. It is without ticket in commit message so once we will have the ticket I will send another patch witch updated commit message. </blockquote> <a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/newticket">https://fedorahosted.org/freeipa/newticket</a> ;-) <blockquote cite="mid:2c35a975-2f44-1557-7770-cba7105e580c@redhat.com" type="cite"> <fieldset class="mimeAttachmentHeader"></fieldset> </blockquote> </body> </html>