[Freeipa-devel] [PATCH] #3859: Better mechanism to retrieve keytabs
Simo Sorce
simo at redhat.com
Wed Jun 11 22:27:20 UTC 2014
On Wed, 2014-06-11 at 17:03 -0400, Rob Crittenden wrote:
> 0001
>
> When is_allowed_to_access_attr() fails it should include the value of
> access in the error log for debugging.
Ok added more detailed logging
> Nit: Coluld not fetch REALM backend
Fixed
> There are still a ton of "ber_scanf failed" duplicated fatal errors. I'm
> fine keeping a common err_msg but the fatal error should be unique.
Yeah thanks to this comment, I had a small change of heart.
Instead of sending such detailed information to clients I reverted to
send a little less information to the clients and instead LOG_FATAL in a
more detailed way. HTH
> This breaks normal host delegation. If you add a host to another host's
> managedby, getting the keytab will fail. This is due to:
>
> [11/Jun/2014:16:56:45 -0400] NSACLPlugin - conn=4 op=3 (main): Deny
> write on
> entry(fqdn=client2.example.com,cn=computers,cn=accounts,dc=example,dc=com).attr(ipaProtectedOperation;write_keys)
> to fqdn=client1.example.com,cn=computers,cn=accounts,dc=example,dc=com:
> no aci matched the subject by aci(97): aciname= "Groups allowed to
> create keytab keys", acidn="cn=accounts,dc=example,dc=com"
Ok this should be working now, I added a new ACI to allow also
managedby#USERDN to operate on keytabs.
New patches attached.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-keytabs-Modularize-setkeytab-operation.patch
Type: text/x-patch
Size: 36281 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140611/d2c35bc9/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-keytabs-Expose-and-modify-key-encoding-function.patch
Type: text/x-patch
Size: 5298 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140611/d2c35bc9/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-keytab-Add-new-extended-operation-to-get-a-keytab.patch
Type: text/x-patch
Size: 27554 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140611/d2c35bc9/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-ipa-getkeytab-Modularize-ldap_set_keytab-function.patch
Type: text/x-patch
Size: 11295 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140611/d2c35bc9/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-ipa-getkeytab-Add-support-for-get_keytab-extop.patch
Type: text/x-patch
Size: 15976 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140611/d2c35bc9/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-man-Add-r-option-to-ipa-getkeytab.1.patch
Type: text/x-patch
Size: 2017 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140611/d2c35bc9/attachment-0005.bin>
More information about the Freeipa-devel
mailing list