[Freeipa-devel] [PATCH] restrict setkeytab operation
Martin Basti
mbasti at redhat.com
Wed Aug 31 12:36:33 UTC 2016
On 26.07.2016 13:38, Simo Sorce wrote:
> On Mon, 2016-07-25 at 11:26 -0400, Simo Sorce wrote:
>> On Mon, 2016-07-25 at 11:10 -0400, Rob Crittenden wrote:
>>> Simo Sorce wrote:
>>>> On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:
>>>>> Simo Sorce wrote:
>>>>>> As described in #232 start restricting the use of the setkeytab
>>>>>> operation to just the computers objects.
>>>>>>
>>>>>> I haven't tested this with older RHEL/CentOS machines that actully use
>>>>>> the setkeytab operation as I do not have such an old VM handy right now.
>>>>>>
>>>>>> Meanwhile I'd like to know if ppl agree with this approach.
>>>>> What about services?
>>>> Do we automatically acquire keytab for services in the old clients ?
>>>>
>>>> Are you thinking about scripted ipa-getkytab callouts ?
>>> You are limiting access to host keytabs, what about service keytabs?
>>> Should they be or are they now similarly restricted?
>>>
>>> Installers for something like Foreman may try to generate a service
>>> keytab in its installer, probably using admin credentials. I am planning
>>> to do the same in Openstack.
>> Ok I'll amend the patch to allow service keytabs to still use the
>> setkeytab control still, and restrict only users.
>> However note that the idea of using this method is that admin can change
>> this default on their own, so they can restrict more or less if they
>> want, to that end I need to remember how to set a default that we do not
>> override in the update file.
>>
>> Simo.
>>
> Amended patch to allow services too.
> Only users are excluded.
>
> Simo.
>
>
>
bump for review
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160831/aebd293f/attachment.htm>
More information about the Freeipa-devel
mailing list