On 1.12.2015 09:21, Alexander Bokovoy wrote:
> On Tue, 01 Dec 2015, Petr Spacek wrote:
>> On 24.11.2015 20:42, Simo Sorce wrote:
>>> Since some time we use the getkeytab operation to fetch keytabs on newer
>>> clients. According to bug #232 setkeytab can be used to circumvent
>>> password quality controls so it needs to be slowly retired.
>>> The attached patches implement #5485 in 2 parts.
>>> The first introduces the option DisableSetKeytab which globally disables
>>> the setkeytab extended operation. This is set to false by default for
>>> backwards compatibility.
>>> The second introduces an option called DisableUserSetKeytab, which is
>>> active by default in new installs (but not in upgraded ones), and only
>>> disables the use of setkeytab for ipa suers, but not for hosts/services.
>>> This is because user's are the ones that may abuse the interface to
>>> escape password policies and users also normally do not acquire keytabs,
>>> so it is a safe bet to disable just them by default in new installs.
>> On a related note, how this works with plain kadmin & kpasswd protocols?
> It is unrelated. We don't support principal manipulation via kadmin
> protocol.

Sure, I know that, but I'm trying to find out if we re-invented the wheel or
if our wheel has some additional features which cannot be incorporated to the
original wheel :-)

>> Do I remember correctly that there is no way to download keytab without
>> re-generating it?
> New keytab extended operation allows retrieval without re-generation
> since FreeIPA 4.0. See http://www.freeipa.org/page/V4/Keytab_Retrieval
> and http://www.freeipa.org/page/V4/Keytab_Retrieval_Management

Sure, I was talking about the original kadmin/kpasswd protocols.

Petr^2 Spacek

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to