Rob Crittenden wrote:
> Simo Sorce wrote:
>> On Wed, 19 Jan 2011 15:22:22 -0500
>> Dmitri Pal<d...@redhat.com> wrote:
>>> I though that enrollment is based only on presence of the keytab.
>> By keytab I guess you mean the krbPrincipalKey attribute.
>> The presence of that attribute is unknown to all users except
>> cn=Directory Manager and uid=kdc, so no user can check for it's
>> presence as our aci prevent any access for reading (and rightly so).
>> I think the krbPrincipalNAme attribute was used to check if kerberos
>> credentials were assigned.
> Yes, that's right. We also use krbLastPwdChange for this purpose but
> the krbPrincipalName work predated this.
> We might need to revisit what I originally did which is why I think
> the patch is ok for now. For now, at least as far as I can tell, it
> just causes a strange message in ipa-join.
Yes the one that I noticed yesterday stating that principal exists.
Ok I am corrected let us reopen the ticket.
> Freeipa-devel mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-devel mailing list