Stijn De Weirdt wrote: > hi rob, > >>> i'm a bit puzzled by the following: i want to retrieve a user keytab >>> using ipa-getkeytab -r (since the keytab for the same user was already >>> retrieved on another host). >>> >>> when doing so, i get >>> >>> Failed to parse result: Insufficient access rights >>> >>> however, i can get the keytab without the -r option. >>> >>> anyone care to explain what access rights are required (or why this >>> error occurs)? >> >> Being able to retrieve an existing key means being able to read it which >> isn't granted by default. > ok, but why is a "regular" ipa-getkeytab no problem?
Because writing keys is granted by default. >> >> It depends on how you want to grant this access: to this one user, to >> all users, to groups, etc. > i only need to get the user keytab on a few machines; i could probably > scp it from one host to the other. but i assumed that ipa-getkeytab -r > would do the same. > >> >> The attribute you want is ipaProtectedOperation;read_keys but use it >> very carefully because you are granting read access to keys. > ok, i'll try to read a bit more about it first. You may end up having to hand-write an ACI to handle this. Given you only want to allow it for a few entries you can add the ACI directly under the entries you want to allow reading to limit exposure. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
