Stijn De Weirdt wrote:
> hi rob,
>>> i'm a bit puzzled by the following: i want to retrieve a user keytab
>>> using ipa-getkeytab -r (since the keytab for the same user was already
>>> retrieved on another host).
>>> when doing so, i get
>>> Failed to parse result: Insufficient access rights
>>> however, i can get the keytab without the -r option.
>>> anyone care to explain what access rights are required (or why this
>>> error occurs)?
>> Being able to retrieve an existing key means being able to read it which
>> isn't granted by default.
> ok, but why is a "regular" ipa-getkeytab no problem?

Because writing keys is granted by default.

>> It depends on how you want to grant this access: to this one user, to
>> all users, to groups, etc.
> i only need to get the user keytab on a few machines; i could probably
> scp it from one host to the other. but i assumed that ipa-getkeytab -r
> would do the same.
>> The attribute you want is ipaProtectedOperation;read_keys but use it
>> very carefully because you are granting read access to keys.
> ok, i'll try to read a bit more about it first.

You may end up having to hand-write an ACI to handle this. Given you
only want to allow it for a few entries you can add the ACI directly
under the entries you want to allow reading to limit exposure.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to