[Freeipa-users] Admin cannot retrieve keytab -- is that expected?
Jan Pazdziora
jpazdziora at redhat.com
Mon Apr 17 14:38:06 UTC 2017
On Mon, Apr 17, 2017 at 04:49:59PM +0300, Alexander Bokovoy wrote:
> On Mon, 17 Apr 2017, Jan Pazdziora wrote:
> >
> > Hello,
> >
> > on freeipa-server-4.4.4-1.fc25.x86_64, admin can generate and retrieve
> > new keytab for a service but they cannot retrieve the existing keys
> > with the -r option. Is that expected?
> Yes. Access to existing keys is intentionally restricted. There are
> additional commands that allow to set up how to grant such access based
> on the management of a service. There is no way to set up a blank
> permission for that, though, as permission is based on the specific
> attributes in the service entry.
>
> # ipa service-add foobar/$(hostname)
> --------------------------------------------------
> Added service "foobar/nyx.xs.ipa.cool at XS.IPA.COOL"
> --------------------------------------------------
> Principal name: foobar/nyx.xs.ipa.cool at XS.IPA.COOL
> Principal alias: foobar/nyx.xs.ipa.cool at XS.IPA.COOL
> Managed by: nyx.xs.ipa.cool
>
> # ipa service-allow-retrieve-keytab foobar/$(hostname) --groups=admins
> Principal name: foobar/nyx.xs.ipa.cool at XS.IPA.COOL
> Principal alias: foobar/nyx.xs.ipa.cool at XS.IPA.COOL
> Managed by: nyx.xs.ipa.cool
> Groups allowed to retrieve keytab: admins
> -------------------------
> Number of members added 1
> -------------------------
>
> # ipa service-show foobar/$(hostname) --all --raw|grep ipaAllowedToPerform
> ipaAllowedToPerform;read_keys: cn=admins,cn=groups,cn=accounts,dc=xs,dc=ipa,dc=cool
Thank you,
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-users
mailing list