Don't set delegation flag in client, we're using S4U2Proxy now

A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246
2025-02-25 18:55:28 -06:00 · 2012-02-15 17:06:54 +01:00
parent 95b1848f19
commit 2da6d6e746
7 changed files with 33 additions and 17 deletions
--- a/ipalib/plugable.py
+++ b/ipalib/plugable.py
@@ -530,6 +530,9 @@ class API(DictProxy):
        parser.add_option('-d', '--debug', action='store_true',
            help='Produce full debuging output',
        )
+        parser.add_option('--delegate', action='store_true',
+            help='Delegate the TGT to the IPA server',
+        )
        parser.add_option('-v', '--verbose', action='count',
            help='Produce more verbose output. A second -v displays the XML-RPC request',
        )
@@ -570,7 +573,7 @@ class API(DictProxy):
                    pass
                overrides[str(key.strip())] = value.strip()
        for key in ('conf', 'debug', 'verbose', 'prompt_all', 'interactive',
-            'fallback'):
+            'fallback', 'delegate'):
            value = getattr(options, key, None)
            if value is not None:
                overrides[key] = value