Rob Crittenden wrote:
> Simo Sorce wrote:
>> On Wed, 19 Jan 2011 15:22:22 -0500
>> Dmitri Pal<d...@redhat.com>  wrote:
>>
>>> I though that enrollment is based only on presence of the keytab.
>>
>> By keytab I guess you mean the krbPrincipalKey attribute.
>> The presence of that attribute is unknown to all users except
>> cn=Directory Manager and uid=kdc, so no user can check for it's
>> presence as our aci prevent any access for reading (and rightly so).
>>
>> I think the krbPrincipalNAme attribute was used to check if kerberos
>> credentials were assigned.
>>
>> Simo.
>>
>
> Yes, that's right. We also use krbLastPwdChange for this purpose but
> the krbPrincipalName work predated this.
>
> We might need to revisit what I originally did which is why I think
> the patch is ok for now. For now, at least as far as I can tell, it
> just causes a strange message in ipa-join.
>


Yes the one that I noticed yesterday stating that principal exists.
Ok I am corrected let us reopen the ticket.

> rob
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to