[Freeipa-devel] Generating kerberos keytabs
Simo Sorce
ssorce at redhat.com
Fri Oct 26 15:31:06 UTC 2007
On Fri, 2007-10-26 at 11:15 -0400, Karl MacMillan wrote:
> I'm looking into creating the xml-rpc interface for generating service
> principals / keytabs and need some help getting started (since I'm a
> kerberos newb). Questions:
>
> 1) Is there a way to do this programmatically or am I going to end up
> scripting around kadmin?
Scripting around kadmin.local for now
> 2) Could / should this be done remotely using kadmin? I'm assuming no
> (especially for cross-platform support), but thought I would ask.
Yes we could but that would require high privileges I don't want to give
out.
Scripting around kadmin.local the same way we do in krbinstance.py right
now is much simpler.
> 3) What principal should we use - the current users? What if we generate
> a host keytab always - which I think we should - should we allow that to
> be used to generate other service principals? Is that even possible?
The only downside of using kadmin.local is that it will use an on disk
keytab so we need to do some authorization ... uhmm not ideal indeed,
but I have an idea, let me think a few hours, I am a bit distracted
right now.
Simo.
More information about the Freeipa-devel
mailing list