On 08/04/2011 10:28 AM, Simo Sorce wrote:
> On Thu, 2011-08-04 at 10:25 -0400, Dmitri Pal wrote:
>> On 08/04/2011 03:52 AM, Ondrej Valousek wrote: 
>>> On 03.08.2011 23:52, Dmitri Pal wrote: 
>>>> But this has not been even filed as an enhancement as no one cared about
>>>> such functionality until now.
>>>> What is your use case for this functionality?
>>> Actually, I do not need such a functionality. I was asking because I
>>> know Windows rotate keytabs so I was expecting IPA might as well.
>>> I guess there is no big press for it now but I would say in general
>>> we should support it as well - for security reasons if not for
>>> anything else.
>> I created a BZ. I am not sure certmonger is the right component
>> https://bugzilla.redhat.com/show_bug.cgi?id=728263
>> But at least it will be on the plate of the right person to make the
>> decision and propose alternative approaches. 
> SSSD is probably a more appropriate component for keytabs, given in the
> IPA case it is a primary user of the keytab for validation purposes.
> Simo.
Yes. May be it is SSSD. But may be the kerberos library should have a
way to rotate keytabs over the kerberos protocol?
That would be even better as key rotation would then become a centrally
managed policy rather than triggered by a client.
The BZ will help me not to forget to start a broader discussion on the
matter when time comes.

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to