On Thu, 2017-04-06 at 22:18 +0200, Stijn De Weirdt wrote: > hi rob, > > > > i'm a bit puzzled by the following: i want to retrieve a user > > > keytab > > > using ipa-getkeytab -r (since the keytab for the same user was > > > already > > > retrieved on another host). > > > > > > when doing so, i get > > > > > > Failed to parse result: Insufficient access rights > > > > > > however, i can get the keytab without the -r option. > > > > > > anyone care to explain what access rights are required (or why > > > this > > > error occurs)? > > > > Being able to retrieve an existing key means being able to read it > > which > > isn't granted by default. > > ok, but why is a "regular" ipa-getkeytab no problem?
A regular keytab fetch operation invalidates previously obtained keys, so when that happens, if the owner has not done it, it figures out pretty quickly. Reading out keys leaves no traces, so that operation is restricted, otherwise a rogue admin could exfiltrate all keys from a realm, undetected. You should create a host-group for each "cluster" of servers that need to present the same identity, then allow this group read to the specific key you want them to access. Ideally using the host's key to fetch the shared service key. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project