On Пан, 10 сак 2025, Rob Crittenden via FreeIPA-users wrote:
alexey safonov via FreeIPA-users wrote:
Hi guys, I might be missing something, but I can't find any
instructions on how to allow users to retrieve keytab without password
reset. And just wondering why this is disabled by default?
Generating a keytab generates new keys.
A user can set the password they want when requesting a keytab for
themselves:
$ kinit tuser
$ ipa-getkeytab -Y GSSAPI -p [email protected] -k /tmp/user.kt -P
New Principal Password: ******
Verify Principal Password: ******
Keytab successfully retrieved and stored in: /tmp/user.kt
As of now, this will not update userPassword attribute, only Kerberos
attributes. As a result, one cannot use LDAP simple bind with the new
password. It is something I'd like to fix.
No special permissions are needed.
The default permissions don't allow one to retrieve already existing key
through ipa-getkeytab without explicit grant. You are allowed to write
keys but not retrieve existing ones.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
