Simo Sorce wrote:
On Wed, 19 Jan 2011 15:22:22 -0500
Dmitri Pal<>  wrote:

I though that enrollment is based only on presence of the keytab.

By keytab I guess you mean the krbPrincipalKey attribute.
The presence of that attribute is unknown to all users except
cn=Directory Manager and uid=kdc, so no user can check for it's
presence as our aci prevent any access for reading (and rightly so).

I think the krbPrincipalNAme attribute was used to check if kerberos
credentials were assigned.


Yes, that's right. We also use krbLastPwdChange for this purpose but the krbPrincipalName work predated this.

We might need to revisit what I originally did which is why I think the patch is ok for now. For now, at least as far as I can tell, it just causes a strange message in ipa-join.


Freeipa-devel mailing list

Reply via email to