Stijn De Weirdt wrote:
> hi all,
> 
> (this is IPA 4.4.0-14.el7.centos.4)
> 
> i'm a bit puzzled by the following: i want to retrieve a user keytab
> using ipa-getkeytab -r (since the keytab for the same user was already
> retrieved on another host).
> 
> when doing so, i get
> 
> Failed to parse result: Insufficient access rights
> 
> however, i can get the keytab without the -r option.
> 
> anyone care to explain what access rights are required (or why this
> error occurs)?

Being able to retrieve an existing key means being able to read it which
isn't granted by default.

It depends on how you want to grant this access: to this one user, to
all users, to groups, etc.

The attribute you want is ipaProtectedOperation;read_keys but use it
very carefully because you are granting read access to keys.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to