[Freeipa-users] ACI for ipa-getkeytab
Rob Crittenden
rcritten at redhat.com
Tue Sep 9 14:59:57 UTC 2014
James James wrote:
> My user : realm-proxy is in a group (Smart Proxy Host Management) which
> has the Manager host keytab permission :
>
> Permission name: Manage host keytab
> Permissions: write
> Attributes: krbprincipalkey, krblastpwdchange
> Type: host
> Granted to Privilege: Host Administrators, Host Enrollment, Smart
> Proxy Host Management
>
>
> When I try to retreive a keytab from another host when my principal is
> the realm-proxy :
>
>
> [root at client1 ~]# kinit realm-proxy at EXAMPLE.COM
> <mailto:realm-proxy at EXAMPLE.COM> -k -t /tmp/freeipa.keytab
>
> [root at client1 ~]# klist
>
> Ticket cache: KEYRING:persistent:0:0
> Default principal: realm-proxy at EXAMPLE.COM <mailto:realm-proxy at EXAMPLE.COM>
>
> Valid starting Expires Service principal
> 09/09/2014 14:35:50 09/10/2014 14:35:50 krbtgt/EXAMPLE.COM at EXAMPLE.COM
> <mailto:EXAMPLE.COM at EXAMPLE.COM>
>
> [root at client1 ~]# ipa-getkeytab --server=ipa.example.com
> <http://ipa.example.com> --principal=host/client1.example.com
> <http://client1.example.com> --keytab=/etc/krb5.keytab
> Operation failed! Insufficient access rights
>
>
> I can't retrieve the key ..
I'd need to see the smart-proxy user, show --all --raw would be best.
I just tested this on a RHEL-6 instance I had handy and it worked fine:
# ipa user-add --first=test --last=user tuser1 --password
# ipa role-add 'host keytab' --desc 'manage host keytabs'
# ipa privilege-add 'manage host keytab' --desc 'manage host keytabs'
# ipa privilege-add-permission 'manage host keytab'
--permissions='manage host keytab'
# ipa role-add-privilege 'host keytab' --privileges='manage host keytab'
# ipa role-add-member --users=tuser1 'host keytab'
# kinit tuser1
# ipa-getkeytab -s `hostname` -k /tmp/test.keytab -p host/test.example.com
Keytab successfully retrieved and stored in: /tmp/test.keytab
rob
>
> 2014-09-09 16:14 GMT+02:00 Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>>:
>
> James James wrote:
> > My IPA version is 3.0.0 .
> > Thanks
>
> The permission 'Manage host keytab' should do the trick.
>
> rob
>
> >
> > 2014-09-09 1:22 GMT+02:00 Dmitri Pal <dpal at redhat.com <mailto:dpal at redhat.com>
> > <mailto:dpal at redhat.com <mailto:dpal at redhat.com>>>:
> >
> > On 09/08/2014 06:52 PM, James James wrote:
> >> Hi everybody,
> >>
> >> I want a user to be able to do ipa-getkeytab to retrieve the keys
> >> from any host in the realm.
> >>
> >> How can I do this ?
> >>
> >> Where I can find an ACI example
> >>
> (https://www.redhat.com/archives/freeipa-users/2010-July/msg00024.html)
> >> which can helps me ?
> >>
> >>
> >> Thanks for your help.
> >>
> >>
> >>
> >>
> > Which version of IPA?
> > There reason for the question is because in FreeIPA 4.0 the ACIs
> > were significantly reworked.
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager IdM portfolio
> > Red Hat, Inc.
> >
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
> >
> >
> >
> >
>
>
More information about the Freeipa-users
mailing list