Rob Crittenden wrote:
> Simo Sorce wrote:
>> On Wed, 19 Jan 2011 15:22:22 -0500
>> Dmitri Pal<>  wrote:
>>> I though that enrollment is based only on presence of the keytab.
>> By keytab I guess you mean the krbPrincipalKey attribute.
>> The presence of that attribute is unknown to all users except
>> cn=Directory Manager and uid=kdc, so no user can check for it's
>> presence as our aci prevent any access for reading (and rightly so).
>> I think the krbPrincipalNAme attribute was used to check if kerberos
>> credentials were assigned.
>> Simo.
> Yes, that's right. We also use krbLastPwdChange for this purpose but
> the krbPrincipalName work predated this.
> We might need to revisit what I originally did which is why I think
> the patch is ok for now. For now, at least as far as I can tell, it
> just causes a strange message in ipa-join.

Yes the one that I noticed yesterday stating that principal exists.
Ok I am corrected let us reopen the ticket.

> rob
> _______________________________________________
> Freeipa-devel mailing list

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-devel mailing list

Reply via email to