Stijn De Weirdt wrote: > hi all, > > (this is IPA 4.4.0-14.el7.centos.4) > > i'm a bit puzzled by the following: i want to retrieve a user keytab > using ipa-getkeytab -r (since the keytab for the same user was already > retrieved on another host). > > when doing so, i get > > Failed to parse result: Insufficient access rights > > however, i can get the keytab without the -r option. > > anyone care to explain what access rights are required (or why this > error occurs)?
Being able to retrieve an existing key means being able to read it which isn't granted by default. It depends on how you want to grant this access: to this one user, to all users, to groups, etc. The attribute you want is ipaProtectedOperation;read_keys but use it very carefully because you are granting read access to keys. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project