[Freeipa-devel] [PATCH] restrict setkeytab operation
Simo Sorce
simo at redhat.com
Mon Jul 25 15:26:14 UTC 2016
On Mon, 2016-07-25 at 11:10 -0400, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:
> >> Simo Sorce wrote:
> >>> As described in #232 start restricting the use of the setkeytab
> >>> operation to just the computers objects.
> >>>
> >>> I haven't tested this with older RHEL/CentOS machines that actully use
> >>> the setkeytab operation as I do not have such an old VM handy right now.
> >>>
> >>> Meanwhile I'd like to know if ppl agree with this approach.
> >>
> >> What about services?
> >
> > Do we automatically acquire keytab for services in the old clients ?
> >
> > Are you thinking about scripted ipa-getkytab callouts ?
>
> You are limiting access to host keytabs, what about service keytabs?
> Should they be or are they now similarly restricted?
>
> Installers for something like Foreman may try to generate a service
> keytab in its installer, probably using admin credentials. I am planning
> to do the same in Openstack.
Ok I'll amend the patch to allow service keytabs to still use the
setkeytab control still, and restrict only users.
However note that the idea of using this method is that admin can change
this default on their own, so they can restrict more or less if they
want, to that end I need to remember how to set a default that we do not
override in the update file.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list