From 2da6d6e7460b932f406b7f0632320433f9f98a85 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 15 Feb 2012 17:06:54 +0100
Subject: Don't set delegation flag in client, we're using S4U2Proxy now

A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.

Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.

https://fedorahosted.org/freeipa/ticket/1098
https://fedorahosted.org/freeipa/ticket/2246
---
 ipalib/backend.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'ipalib/backend.py')

diff --git a/ipalib/backend.py b/ipalib/backend.py
index 79f190832..7ed378e88 100644
--- a/ipalib/backend.py
+++ b/ipalib/backend.py
@@ -110,7 +110,7 @@ class Executioner(Backend):
             self.Backend.ldap2.connect(ccache=ccache)
         else:
             self.Backend.xmlclient.connect(verbose=(self.env.verbose >= 2),
-                fallback=self.env.fallback)
+                fallback=self.env.fallback, delegate=self.env.delegate)
         if client_ip is not None:
             setattr(context, "client_ip", client_ip)
 
-- 
cgit