Hello, I am implementing IPA as a Kerberos provider. If you are interested you can see my progress here https://github.com/bolkedebruin/ambari .
I’m running into a couple of issues where I need some guidance. Background: IPA requires a password change for user principals on first authentication (http://www.freeipa.org/page/New_Passwords_Expired). It is not advised to change this manually and if you do it requires Directory Manager and ldap access. This interferes with how Ambari handles key tab creation: password policies still apply in case of key tab for user principals and thus the Ambari generated key tab is unusable. Questions: * Why does Ambari store (user) principal passwords? It seems that this might only be required in case of a linux client with Active Directory where command line utils are unavailable to generate a key tab? It also creates an additional attack vector. * Currently the test principal that Ambari generates is a user principal for which key tab is generated. I am not aware of any user principals that need key tabs and are managed by Ambari. Can this test principal also be a service principal and isn’t that even more appropriate? Thanks! Bolke
