[Freeipa-devel] Design Review Keytab Retrieval
Nathaniel McCallum
npmccallum at redhat.com
Fri Jun 20 20:50:59 UTC 2014
On Fri, 2014-06-20 at 16:05 -0400, Simo Sorce wrote:
> On Fri, 2014-06-20 at 14:47 -0400, Nathaniel McCallum wrote:
> > This change would have very small impact on your patch set, but would
> > be
> > much clearer for the future consumers of this protocol. Code can be
> > changed; protocols can't.
>
> Ok this new patchset implements the requested change.
> Initial testing seem to indicate it all works as expected.
0001: Line 555 has very wrong indentation.
Other than that, I have looked over 0001 and 0002 very closely and built
and tested them. Everything works. So conditional (indent fix) ACK on
both of these. I don't see any reason to avoid merging these as soon as
the indent fix is completed. It should substantially reduce your
differential from master.
In the new ASN.1, "Newkeys" has the wrong capitalization. This affects
patches 0003 and 0005.
I think patch 0003 may still have a permissions problem. For instance,
this works for me with no error:
$ ipa user-find --whoami
--------------
1 user matched
--------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
UID: 1569600000
GID: 1569600000
Account disabled: False
Password: True
Kerberos keys available: True
----------------------------
Number of entries returned 1
----------------------------
$ ipa-getkeytab -s ipa.example.com -p foo/ipa.example.com -r -k bar
Keytab successfully retrieved and stored in: bar
Is that really correct behavior or did I screw something up? I thought
we had restricted the admin user from reading keys without changing
them...
Nathaniel
More information about the Freeipa-devel
mailing list