On 12/15/2017 12:52 PM, Stijn De Weirdt via FreeIPA-users wrote:
hi all,

i'm trying to retrieve an existing keytab from a user on a second host.
ipa-getkeytab on a first host worked fine.

but when i try to retrieve the keytab (using -r option) i get a
"Insufficient access rights" error (even when using admin credentials)

i looked into "ipa service-allow-retrieve-keytab", but it does not
accept the user principal (pretty normal since it's not a service i guess).

hints welcome!

stijn
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org


Hi,

if I recall correctly, cn=Directory Manager is the only user that can retrieve a keytab for a user. ipa-getkeytab -D "cn=Directory Manager" -w $PASSWORD ... should work.

And you are right, the CLI ipa {host|service}-allow-retrieve-keytab will assign rights to retrieve a host or service keytab, but not a user keytab.

Flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to