[Freeipa-users] Admin cannot retrieve keytab -- is that expected?

[Jan Pazdziora]

Hello,

on freeipa-server-4.4.4-1.fc25.x86_64, admin can generate and retrieve
new keytab for a service but they cannot retrieve the existing keys
with the -r option. Is that expected?

# kdestroy -A
# kinit admin
Password for admin at EXAMPLE.TEST: 
# ipa host-add test1.example.test --force
-------------------------------
Added host "test1.example.test"
-------------------------------
  Host name: test1.example.test
  Principal name: host/test1.example.test at EXAMPLE.TEST
  Principal alias: host/test1.example.test at EXAMPLE.TEST
  Password: False
  Keytab: False
  Managed by: test1.example.test
# ipa service-add HTTP/test1.example.test --force
----------------------------------------------------
Added service "HTTP/test1.example.test at EXAMPLE.TEST"
----------------------------------------------------
  Principal name: HTTP/test1.example.test at EXAMPLE.TEST
  Principal alias: HTTP/test1.example.test at EXAMPLE.TEST
  Managed by: test1.example.test

# ipa-getkeytab -p HTTP/test1.example.test -k /tmp/http.keytab
Keytab successfully retrieved and stored in: /tmp/http.keytab

# ipa-getkeytab -r -p HTTP/test1.example.test -k /tmp/http.keytab.1
Failed to parse result: Insufficient access rights

Failed to get keytab
# 

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat