On Wed, Apr 28, 2021 at 01:10:08PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On ke, 28 huhti 2021, Dominik Vogt via FreeIPA-users wrote: > > What is the correct way to disable "kinit admin" on all ipa > > clients? In our setup, becoming admin should only possible on the > > ipa server. (Everything is done by scripts runn through ssh; > > nobody ever logs in to the server directly.) > > Kerberos principals for users are not tied to specific hosts. There is > also nothing that does explicit 'kinit admin' unless you do it yourself. > > Anyone who is in possesion of 'admin' account password can ask to obtain > a Kerberos ticket for this principal. There are no specific limitations > to hosts where this could happen.
So there is no way to prevent that someone issues administrative ipa command from any host, except by keeping the password secret? Ciao Dominik ^_^ ^_^ -- Dominik Vogt _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
