hi flo,

thanks a lot, using directory manager works.

when did this change? i remember doing this several months ago, i can't
remember i had to do anything special back then?

in any case, thanks again

stijn

On 12/15/2017 02:32 PM, Florence Blanc-Renaud wrote:
> On 12/15/2017 12:52 PM, Stijn De Weirdt via FreeIPA-users wrote:
>> hi all,
>>
>> i'm trying to retrieve an existing keytab from a user on a second host.
>> ipa-getkeytab on a first host worked fine.
>>
>> but when i try to retrieve the keytab (using -r option) i get a
>> "Insufficient access rights" error (even when using admin credentials)
>>
>> i looked into "ipa service-allow-retrieve-keytab", but it does not
>> accept the user principal (pretty normal since it's not a service i
>> guess).
>>
>> hints welcome!
>>
>> stijn
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>>
> 
> Hi,
> 
> if I recall correctly, cn=Directory Manager is the only user that can
> retrieve a keytab for a user. ipa-getkeytab -D "cn=Directory Manager" -w
> $PASSWORD ... should work.
> 
> And you are right, the CLI ipa {host|service}-allow-retrieve-keytab will
> assign rights to retrieve a host or service keytab, but not a user keytab.
> 
> Flo
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to