On Mon, 17 Apr 2017, Jan Pazdziora wrote:
Hello, on freeipa-server-4.4.4-1.fc25.x86_64, admin can generate and retrieve new keytab for a service but they cannot retrieve the existing keys with the -r option. Is that expected?
Yes. Access to existing keys is intentionally restricted. There are additional commands that allow to set up how to grant such access based on the management of a service. There is no way to set up a blank permission for that, though, as permission is based on the specific attributes in the service entry. # ipa service-add foobar/$(hostname) -------------------------------------------------- Added service "foobar/[email protected]" -------------------------------------------------- Principal name: foobar/[email protected] Principal alias: foobar/[email protected] Managed by: nyx.xs.ipa.cool # ipa service-allow-retrieve-keytab foobar/$(hostname) --groups=admins Principal name: foobar/[email protected] Principal alias: foobar/[email protected] Managed by: nyx.xs.ipa.cool Groups allowed to retrieve keytab: admins ------------------------- Number of members added 1 ------------------------- # ipa service-show foobar/$(hostname) --all --raw|grep ipaAllowedToPerform ipaAllowedToPerform;read_keys: cn=admins,cn=groups,cn=accounts,dc=xs,dc=ipa,dc=cool This is all documented very well: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/retrieve-existing-keytabs.html -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
