[Freeipa-devel] [PATCH] restrict setkeytab operation

Wed Oct 26 07:51:09 UTC 2016


On 31.08.2016 14:36, Martin Basti wrote:
>
>
>
> On 26.07.2016 13:38, Simo Sorce wrote:
>> On Mon, 2016-07-25 at 11:26 -0400, Simo Sorce wrote:
>>> On Mon, 2016-07-25 at 11:10 -0400, Rob Crittenden wrote:
>>>> Simo Sorce wrote:
>>>>> On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:
>>>>>> Simo Sorce wrote:
>>>>>>> As described in #232 start restricting the use of the setkeytab
>>>>>>> operation to just the computers objects.
>>>>>>>
>>>>>>> I haven't tested this with older RHEL/CentOS machines that actully use
>>>>>>> the setkeytab operation as I do not have such an old VM handy right now.
>>>>>>>
>>>>>>> Meanwhile I'd like to know if ppl agree with this approach.
>>>>>> What about services?
>>>>> Do we automatically acquire keytab for services in the old clients ?
>>>>>
>>>>> Are you thinking about scripted ipa-getkytab callouts ?
>>>> You are limiting access to host keytabs, what about service keytabs?
>>>> Should they be or are they now similarly restricted?
>>>>
>>>> Installers for something like Foreman may try to generate a service
>>>> keytab in its installer, probably using admin credentials. I am planning
>>>> to do the same in Openstack.
>>> Ok I'll amend the patch to allow service keytabs to still use the
>>> setkeytab control still, and restrict only users.
>>> However note that the idea of using this method is that admin can change
>>> this default on their own, so they can restrict more or less if they
>>> want, to that end I need to remember how to set a default that we do not
>>> override in the update file.
>>>
>>> Simo.
>>>
>> Amended patch to allow services too.
>> Only users are excluded.
>>
>> Simo.
>>
>>
>>
>
> bump for review
>
>
bump for review
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20161026/6cf02411/attachment.htm>