On Fri, 2014-06-13 at 14:04 -0400, Simo Sorce wrote: > On Fri, 2014-06-13 at 12:54 -0400, Rob Crittenden wrote: > > Simo Sorce wrote: > > > On Wed, 2014-06-11 at 17:03 -0400, Rob Crittenden wrote: > > >> 0001 > > >> > > >> When is_allowed_to_access_attr() fails it should include the value of > > >> access in the error log for debugging. > > > > > > Ok added more detailed logging > > > > > >> Nit: Coluld not fetch REALM backend > > > > > > Fixed > > > > > >> There are still a ton of "ber_scanf failed" duplicated fatal errors. I'm > > >> fine keeping a common err_msg but the fatal error should be unique. > > > > > > Yeah thanks to this comment, I had a small change of heart. > > > Instead of sending such detailed information to clients I reverted to > > > send a little less information to the clients and instead LOG_FATAL in a > > > more detailed way. HTH > > > > > >> This breaks normal host delegation. If you add a host to another host's > > >> managedby, getting the keytab will fail. This is due to: > > >> > > >> [11/Jun/2014:16:56:45 -0400] NSACLPlugin - conn=4 op=3 (main): Deny > > >> write on > > >> entry(fqdn=client2.example.com,cn=computers,cn=accounts,dc=example,dc=com).attr(ipaProtectedOperation;write_keys) > > >> to fqdn=client1.example.com,cn=computers,cn=accounts,dc=example,dc=com: > > >> no aci matched the subject by aci(97): aciname= "Groups allowed to > > >> create keytab keys", acidn="cn=accounts,dc=example,dc=com" > > > > > > Ok this should be working now, I added a new ACI to allow also > > > managedby#USERDN to operate on keytabs. > > > > > > New patches attached. > > > > Functionally these seem to work ok. I think there should be some > > documented way to enable the -r in ipa-getkeytab. Right now I'm not even > > entirely sure how one would add a permission to do so. > > > > rob > > > > ATM the only way is to add the ipaAllowedOperations objectclass to the > object you want to allow retrieving a keyt from and the > ipaAllowedToPerform;reasd_key attribute > > Example: > dn: test/foo.example....@example.com,cn=services,cn=accounts,dc=example,dc=com > changetype: modify > add: objectclass > objectclass: ipaAllowedOperations > - > add: ipaAllowedToPerform;read_key > ipaAllowedToPerform;reasd_key: > uid=cluster-admin,cn=users,cn=accounts,dc=example,dc=com > > Once you do this the user called cluster-admin will be allowed to > retrieve the keytab w/o changing it. > > Of course you can list there a group or another host/service DN.
Doh, I realized we haven't created a feature page for this, I am going to create one now, so that the UI work we'll need in future can look it up and information like the above is registered. Will be available here: http://www.freeipa.org/page/V4/Keytab_Retrieval Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel