On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
On 01.10.20 17:46, Alexander Bokovoy wrote:
>On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
>>Is it possible to set this flag by default for all new IPA hosts?
>
>I checked the code and there is no way to set it by default. You have to
>explicitly specify --ok-as-delegate=true when adding hosts and services.
Host are added and enrolled by issuing the ipa-client-install command
which does not seem to have a flag for this. So my only chance is to
do a host-mod afterwards?
Yes, without modifications.
Alternatively, you can add a small plugin that modifies default flags
for both services and hosts.
# cat /usr/lib/python3.8/site-packages/ipaserver/plugins/service_change_defaults.py
from . import service
service._ticket_flags_default |= service._ticket_flags_map['ipakrbokasdelegate']
# systemctl restart httpd
# kinit admin
Password for admin(a)IPA.TEST:
# ipa dnsrecord-add ipa.test client --a-rec 10.10.10.10
Record name: client
A record: 10.10.10.10
# ipa host-add client.ipa.test
----------------------------
Added host "client.ipa.test"
----------------------------
Host name: client.ipa.test
Principal name: host/client.ipa.test(a)IPA.TEST
Principal alias: host/client.ipa.test(a)IPA.TEST
Password: False
Keytab: False
Managed by: client.ipa.test
# ipa host-show client.ipa.test --all|grep Trusted
Trusted for delegation: True
Trusted to authenticate as user: False
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland