Prior to the addition of S4U2Proxy IPA used full TGT delegation to handle access control for 389-ds. When this support was added I think in 3.0.0 the TGT delegation was left in for backwards compatibility.
Those days are past and there is no reason to delegate the full TGT any more.
The TGT is delegated. You can tell because the Negotiate is immense.
Don't set the curl options to enable delegation.
For reference, here is where the code to explicitly enable it was added in 2.1.0: a1c690c
https://pagure.io/freeipa/issue/1452
master:
Metadata Update from @rcritten: - Custom field affects_doc adjusted to on - Custom field knownissue adjusted to on - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.