Simo Sorce wrote:
On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:
Simo Sorce wrote:
As described in #232 start restricting the use of the setkeytab
operation to just the computers objects.

I haven't tested this with older RHEL/CentOS machines that actully use
the setkeytab operation as I do not have such an old VM handy right now.

Meanwhile I'd like to know if ppl agree with this approach.

What about services?

Do we automatically acquire keytab for services in the old clients ?

Are you thinking about scripted ipa-getkytab callouts ?

You are limiting access to host keytabs, what about service keytabs? Should they be or are they now similarly restricted?

Installers for something like Foreman may try to generate a service keytab in its installer, probably using admin credentials. I am planning to do the same in Openstack.

rob

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to