on freeipa-server-4.4.4-1.fc25.x86_64, admin can generate and retrieve
new keytab for a service but they cannot retrieve the existing keys
with the -r option. Is that expected?

# kdestroy -A
# kinit admin
Password for ad...@example.test: 
# ipa host-add test1.example.test --force
Added host "test1.example.test"
  Host name: test1.example.test
  Principal name: host/test1.example.t...@example.test
  Principal alias: host/test1.example.t...@example.test
  Password: False
  Keytab: False
  Managed by: test1.example.test
# ipa service-add HTTP/test1.example.test --force
Added service "HTTP/test1.example.t...@example.test"
  Principal name: HTTP/test1.example.t...@example.test
  Principal alias: HTTP/test1.example.t...@example.test
  Managed by: test1.example.test

# ipa-getkeytab -p HTTP/test1.example.test -k /tmp/http.keytab
Keytab successfully retrieved and stored in: /tmp/http.keytab

# ipa-getkeytab -r -p HTTP/test1.example.test -k /tmp/http.keytab.1
Failed to parse result: Insufficient access rights

Failed to get keytab

Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to