On Wed, Nov 25, 2015 at 09:54:13AM -0500, Simo Sorce wrote: > On Wed, 2015-11-25 at 10:24 +0100, Sumit Bose wrote: > > On Tue, Nov 24, 2015 at 02:42:32PM -0500, Simo Sorce wrote: > > > Since some time we use the getkeytab operation to fetch keytabs on newer > > > clients. According to bug #232 setkeytab can be used to circumvent > > > password quality controls so it needs to be slowly retired. > > > > ipasam uses this exop to create the cross-realm TGT principal objects, > > krbtgt/DOM.A@DOM.B. What should be used instead to make sure that > > setkeytab can safely be disabled? > > It must use the new getkeytab extended operation. > > Can you open a ticket to fix this and assign it to me ?
Here you are https://fedorahosted.org/freeipa/ticket/5495 bye, Sumit > > Simo. > > > bye, > > Sumit > > > > > > > > The attached patches implement #5485 in 2 parts. > > > > > > The first introduces the option DisableSetKeytab which globally disables > > > the setkeytab extended operation. This is set to false by default for > > > backwards compatibility. > > > > > > The second introduces an option called DisableUserSetKeytab, which is > > > active by default in new installs (but not in upgraded ones), and only > > > disables the use of setkeytab for ipa suers, but not for hosts/services. > > > This is because user's are the ones that may abuse the interface to > > > escape password policies and users also normally do not acquire keytabs, > > > so it is a safe bet to disable just them by default in new installs. > > > > > > (Testing in progress) > > > > > > Simo. > > > > > > -- > > > Simo Sorce * Red Hat, Inc * New York > > > -- > Simo Sorce * Red Hat, Inc * New York > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code