Oh ok, so I just need to create IPA host and let admin fetch its keytab on all real hosts running the service. Fair enough, thanks!
Btw in the meantime I discovered that it is possible to retrieve user's keytab with "ipa-getkeytab -r" if you authenticate as "cn=Directory Manager". Apparently, it has the rights to do this. But the only way then is by specifying its password in command line with "ipa-getkeytab -w" (it doesn't support prompting you securely, like kinit or ldapsearch do). So it is NOT a good idea to do so, unless you then clean up your history etc.... Better not :) --- Regards, Dmitry Perets On Fri, 22 Nov 2019, 21:01 Alexander Bokovoy, <aboko...@redhat.com> wrote: > On pe, 22 marras 2019, Charles Hedrick wrote: > >Bound in the sense that it has the hostname as part of the principal, > >not in the sense that there’s any actual connection with that host when > >you use it. > > > >Dmitry Perets wants to use the same principal and key table on several > >hosts. They can simply create a principal for one of them. It and its > >key table can be used anywhere. We do it regularly. I would prefer this > >not to work, but it does. > > Correct. And it doesn't need any of the newer functionality too. > > > > >On Nov 22, 2019, at 2:40 PM, Alexander Bokovoy <aboko...@redhat.com > <mailto:aboko...@redhat.com>> wrote: > > > >No, this is not really what it is. Service principals are always bound > >to a host name but starting with FreeIPA 4.7.0 it is possible to create > >service principals that have no host object with the same host name. > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org