[Freeipa-devel] [PATCH] restrict setkeytab operation
Rob Crittenden
rcritten at redhat.com
Mon Jul 25 15:10:29 UTC 2016
Simo Sorce wrote:
> On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> As described in #232 start restricting the use of the setkeytab
>>> operation to just the computers objects.
>>>
>>> I haven't tested this with older RHEL/CentOS machines that actully use
>>> the setkeytab operation as I do not have such an old VM handy right now.
>>>
>>> Meanwhile I'd like to know if ppl agree with this approach.
>>
>> What about services?
>
> Do we automatically acquire keytab for services in the old clients ?
>
> Are you thinking about scripted ipa-getkytab callouts ?
You are limiting access to host keytabs, what about service keytabs?
Should they be or are they now similarly restricted?
Installers for something like Foreman may try to generate a service
keytab in its installer, probably using admin credentials. I am planning
to do the same in Openstack.
rob
More information about the Freeipa-devel
mailing list