On 31.08.2016 14:36, Martin Basti wrote:

On 26.07.2016 13:38, Simo Sorce wrote:
On Mon, 2016-07-25 at 11:26 -0400, Simo Sorce wrote:
On Mon, 2016-07-25 at 11:10 -0400, Rob Crittenden wrote:
Simo Sorce wrote:
On Mon, 2016-07-25 at 10:55 -0400, Rob Crittenden wrote:
Simo Sorce wrote:
As described in #232 start restricting the use of the setkeytab
operation to just the computers objects.

I haven't tested this with older RHEL/CentOS machines that actully use
the setkeytab operation as I do not have such an old VM handy right now.

Meanwhile I'd like to know if ppl agree with this approach.
What about services?
Do we automatically acquire keytab for services in the old clients ?

Are you thinking about scripted ipa-getkytab callouts ?
You are limiting access to host keytabs, what about service keytabs?
Should they be or are they now similarly restricted?

Installers for something like Foreman may try to generate a service
keytab in its installer, probably using admin credentials. I am planning
to do the same in Openstack.
Ok I'll amend the patch to allow service keytabs to still use the
setkeytab control still, and restrict only users.
However note that the idea of using this method is that admin can change
this default on their own, so they can restrict more or less if they
want, to that end I need to remember how to set a default that we do not
override in the update file.


Amended patch to allow services too.
Only users are excluded.


bump for review

bump for review
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to