On 06/19/2012 02:12 PM, Stephen Ingram wrote: > On Tue, Jun 19, 2012 at 9:55 AM, Simo Sorce <s...@redhat.com> wrote: >> On Tue, 2012-06-19 at 09:15 -0700, Stephen Ingram wrote: >>> On Tue, Jun 19, 2012 at 2:54 AM, Dmitri Pal <d...@redhat.com> wrote: >>>> On 06/18/2012 11:58 AM, Darran Lofthouse wrote: >>>>> Just experienced some weird behaviour on my Fedora 17 installation, >>>>> just wanted to check if this was expected. >>>>> >>>>> I have the default config that requires a user to change their >>>>> password the first time they run kinit. >>>>> >>>>> However I created a user and immediately used ipa-getkeytab as this >>>>> user will be a non-interactive process, despite the ipa-getkeytab >>>>> resetting the secret for the user the first attempt at authentication >>>>> failed as the user was still told to change their password. >>>>> >>>> >>>> I do not think we have anticipated this use. The ipa-getkeytab is >>>> designed for the host and services keytabs not for users. I suggest that >>>> use a service principal rather than a user principal to run those jobs. >>>> You can also file an RFE to allow keytabs for users if you think that >>>> services would not work for you. >>>> >>>>> My expectation would have been that any update to the secret should >>>>> meet the requirement for the user to change their password. >>> Darren- >>> >>> I'm not sure if you went further with this, but if you do change the >>> password through other means, you then will be able to get a copy of >>> the keytab for the user with ipa-getkeytab. I tried it out because the >>> thought of not being able to get a keytab for a user was concerning. I >>> agree that the service keytabs make more sense for these instances (I >>> was also told this by Simo in another thread), but I keep being told >>> by the application people that I need to use a user principal, which, >>> thankfully works. >> Ask them why, I am curious about the requirement. > I'm still waiting for responses. The only thing I've been told thus > far is that since there are multiple processes authenticating to their > respective servers, it might be difficult to direct each to the proper > credential cache. If you use one user to auth to each server process > then there is only one credential cache. > > Steve This seems like an orthogonal problem. It does not matter if it is a service principal(s) or user principal(s). As long as a group of processes that are using the same principal are configured to use the same cache you should be OK.
-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users