[Freeipa-users] user keytab retrieval
Simo Sorce
simo at redhat.com
Fri Apr 7 11:45:28 UTC 2017
On Thu, 2017-04-06 at 22:18 +0200, Stijn De Weirdt wrote:
> hi rob,
>
> > > i'm a bit puzzled by the following: i want to retrieve a user
> > > keytab
> > > using ipa-getkeytab -r (since the keytab for the same user was
> > > already
> > > retrieved on another host).
> > >
> > > when doing so, i get
> > >
> > > Failed to parse result: Insufficient access rights
> > >
> > > however, i can get the keytab without the -r option.
> > >
> > > anyone care to explain what access rights are required (or why
> > > this
> > > error occurs)?
> >
> > Being able to retrieve an existing key means being able to read it
> > which
> > isn't granted by default.
>
> ok, but why is a "regular" ipa-getkeytab no problem?
A regular keytab fetch operation invalidates previously obtained keys,
so when that happens, if the owner has not done it, it figures out
pretty quickly.
Reading out keys leaves no traces, so that operation is restricted,
otherwise a rogue admin could exfiltrate all keys from a realm,
undetected.
You should create a host-group for each "cluster" of servers that need
to present the same identity, then allow this group read to the
specific key you want them to access. Ideally using the host's key to
fetch the shared service key.
Simo.
More information about the Freeipa-users
mailing list