On 24.11.2015 20:42, Simo Sorce wrote: > Since some time we use the getkeytab operation to fetch keytabs on newer > clients. According to bug #232 setkeytab can be used to circumvent > password quality controls so it needs to be slowly retired. > > The attached patches implement #5485 in 2 parts. > > The first introduces the option DisableSetKeytab which globally disables > the setkeytab extended operation. This is set to false by default for > backwards compatibility. > > The second introduces an option called DisableUserSetKeytab, which is > active by default in new installs (but not in upgraded ones), and only > disables the use of setkeytab for ipa suers, but not for hosts/services. > This is because user's are the ones that may abuse the interface to > escape password policies and users also normally do not acquire keytabs, > so it is a safe bet to disable just them by default in new installs.
On a related note, how this works with plain kadmin & kpasswd protocols? Do I remember correctly that there is no way to download keytab without re-generating it? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code