Rob Crittenden wrote: > Simo Sorce wrote: >> On Wed, 19 Jan 2011 15:22:22 -0500 >> Dmitri Pal<[email protected]> wrote: >> >>> I though that enrollment is based only on presence of the keytab. >> >> By keytab I guess you mean the krbPrincipalKey attribute. >> The presence of that attribute is unknown to all users except >> cn=Directory Manager and uid=kdc, so no user can check for it's >> presence as our aci prevent any access for reading (and rightly so). >> >> I think the krbPrincipalNAme attribute was used to check if kerberos >> credentials were assigned. >> >> Simo. >> > > Yes, that's right. We also use krbLastPwdChange for this purpose but > the krbPrincipalName work predated this. > > We might need to revisit what I originally did which is why I think > the patch is ok for now. For now, at least as far as I can tell, it > just causes a strange message in ipa-join. >
Yes the one that I noticed yesterday stating that principal exists. Ok I am corrected let us reopen the ticket. > rob > > _______________________________________________ > Freeipa-devel mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
