Re: [Freeipa-users] Admin cannot retrieve keytab -- is that expected?
On Mon, Apr 17, 2017 at 04:49:59PM +0300, Alexander Bokovoy wrote: > On Mon, 17 Apr 2017, Jan Pazdziora wrote: > > > > Hello, > > > > on freeipa-server-4.4.4-1.fc25.x86_64, admin can generate and retrieve > > new keytab for a service but they cannot retrieve the existing keys > > with the -r option. Is that expected? > Yes. Access to existing keys is intentionally restricted. There are > additional commands that allow to set up how to grant such access based > on the management of a service. There is no way to set up a blank > permission for that, though, as permission is based on the specific > attributes in the service entry. > > # ipa service-add foobar/$(hostname) > -- > Added service "foobar/nyx.xs.ipa.c...@xs.ipa.cool" > -- > Principal name: foobar/nyx.xs.ipa.c...@xs.ipa.cool > Principal alias: foobar/nyx.xs.ipa.c...@xs.ipa.cool > Managed by: nyx.xs.ipa.cool > > # ipa service-allow-retrieve-keytab foobar/$(hostname) --groups=admins > Principal name: foobar/nyx.xs.ipa.c...@xs.ipa.cool > Principal alias: foobar/nyx.xs.ipa.c...@xs.ipa.cool > Managed by: nyx.xs.ipa.cool > Groups allowed to retrieve keytab: admins > - > Number of members added 1 > - > > # ipa service-show foobar/$(hostname) --all --raw|grep ipaAllowedToPerform > ipaAllowedToPerform;read_keys: > cn=admins,cn=groups,cn=accounts,dc=xs,dc=ipa,dc=cool Thank you, -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Admin cannot retrieve keytab -- is that expected?
On Mon, 17 Apr 2017, Jan Pazdziora wrote: Hello, on freeipa-server-4.4.4-1.fc25.x86_64, admin can generate and retrieve new keytab for a service but they cannot retrieve the existing keys with the -r option. Is that expected? Yes. Access to existing keys is intentionally restricted. There are additional commands that allow to set up how to grant such access based on the management of a service. There is no way to set up a blank permission for that, though, as permission is based on the specific attributes in the service entry. # ipa service-add foobar/$(hostname) -- Added service "foobar/nyx.xs.ipa.c...@xs.ipa.cool" -- Principal name: foobar/nyx.xs.ipa.c...@xs.ipa.cool Principal alias: foobar/nyx.xs.ipa.c...@xs.ipa.cool Managed by: nyx.xs.ipa.cool # ipa service-allow-retrieve-keytab foobar/$(hostname) --groups=admins Principal name: foobar/nyx.xs.ipa.c...@xs.ipa.cool Principal alias: foobar/nyx.xs.ipa.c...@xs.ipa.cool Managed by: nyx.xs.ipa.cool Groups allowed to retrieve keytab: admins - Number of members added 1 - # ipa service-show foobar/$(hostname) --all --raw|grep ipaAllowedToPerform ipaAllowedToPerform;read_keys: cn=admins,cn=groups,cn=accounts,dc=xs,dc=ipa,dc=cool This is all documented very well: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/retrieve-existing-keytabs.html -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Admin cannot retrieve keytab -- is that expected?
Hello, on freeipa-server-4.4.4-1.fc25.x86_64, admin can generate and retrieve new keytab for a service but they cannot retrieve the existing keys with the -r option. Is that expected? # kdestroy -A # kinit admin Password for ad...@example.test: # ipa host-add test1.example.test --force --- Added host "test1.example.test" --- Host name: test1.example.test Principal name: host/test1.example.t...@example.test Principal alias: host/test1.example.t...@example.test Password: False Keytab: False Managed by: test1.example.test # ipa service-add HTTP/test1.example.test --force Added service "HTTP/test1.example.t...@example.test" Principal name: HTTP/test1.example.t...@example.test Principal alias: HTTP/test1.example.t...@example.test Managed by: test1.example.test # ipa-getkeytab -p HTTP/test1.example.test -k /tmp/http.keytab Keytab successfully retrieved and stored in: /tmp/http.keytab # ipa-getkeytab -r -p HTTP/test1.example.test -k /tmp/http.keytab.1 Failed to parse result: Insufficient access rights Failed to get keytab # -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project