On 08/04/2011 10:28 AM, Simo Sorce wrote: > On Thu, 2011-08-04 at 10:25 -0400, Dmitri Pal wrote: >> On 08/04/2011 03:52 AM, Ondrej Valousek wrote: >>> On 03.08.2011 23:52, Dmitri Pal wrote: >>>> But this has not been even filed as an enhancement as no one cared about >>>> such functionality until now. >>>> >>>> What is your use case for this functionality? >>> Actually, I do not need such a functionality. I was asking because I >>> know Windows rotate keytabs so I was expecting IPA might as well. >>> I guess there is no big press for it now but I would say in general >>> we should support it as well - for security reasons if not for >>> anything else. >>> >> I created a BZ. I am not sure certmonger is the right component >> https://bugzilla.redhat.com/show_bug.cgi?id=728263 >> But at least it will be on the plate of the right person to make the >> decision and propose alternative approaches. > SSSD is probably a more appropriate component for keytabs, given in the > IPA case it is a primary user of the keytab for validation purposes. > > Simo. > Yes. May be it is SSSD. But may be the kerberos library should have a way to rotate keytabs over the kerberos protocol? That would be even better as key rotation would then become a centrally managed policy rather than triggered by a client. The BZ will help me not to forget to start a broader discussion on the matter when time comes.
-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
