Re: [Freeipa-users] user keytab retrieval
On Thu, 2017-04-06 at 22:18 +0200, Stijn De Weirdt wrote: > hi rob, > > > > i'm a bit puzzled by the following: i want to retrieve a user > > > keytab > > > using ipa-getkeytab -r (since the keytab for the same user was > > > already > > > retrieved on another host). > > > > > > when doing so, i get > > > > > > Failed to parse result: Insufficient access rights > > > > > > however, i can get the keytab without the -r option. > > > > > > anyone care to explain what access rights are required (or why > > > this > > > error occurs)? > > > > Being able to retrieve an existing key means being able to read it > > which > > isn't granted by default. > > ok, but why is a "regular" ipa-getkeytab no problem? A regular keytab fetch operation invalidates previously obtained keys, so when that happens, if the owner has not done it, it figures out pretty quickly. Reading out keys leaves no traces, so that operation is restricted, otherwise a rogue admin could exfiltrate all keys from a realm, undetected. You should create a host-group for each "cluster" of servers that need to present the same identity, then allow this group read to the specific key you want them to access. Ideally using the host's key to fetch the shared service key. Simo. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] user keytab retrieval
Stijn De Weirdt wrote: > hi rob, > >>> i'm a bit puzzled by the following: i want to retrieve a user keytab >>> using ipa-getkeytab -r (since the keytab for the same user was already >>> retrieved on another host). >>> >>> when doing so, i get >>> >>> Failed to parse result: Insufficient access rights >>> >>> however, i can get the keytab without the -r option. >>> >>> anyone care to explain what access rights are required (or why this >>> error occurs)? >> >> Being able to retrieve an existing key means being able to read it which >> isn't granted by default. > ok, but why is a "regular" ipa-getkeytab no problem? Because writing keys is granted by default. >> >> It depends on how you want to grant this access: to this one user, to >> all users, to groups, etc. > i only need to get the user keytab on a few machines; i could probably > scp it from one host to the other. but i assumed that ipa-getkeytab -r > would do the same. > >> >> The attribute you want is ipaProtectedOperation;read_keys but use it >> very carefully because you are granting read access to keys. > ok, i'll try to read a bit more about it first. You may end up having to hand-write an ACI to handle this. Given you only want to allow it for a few entries you can add the ACI directly under the entries you want to allow reading to limit exposure. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] user keytab retrieval
hi rob, >> i'm a bit puzzled by the following: i want to retrieve a user keytab >> using ipa-getkeytab -r (since the keytab for the same user was already >> retrieved on another host). >> >> when doing so, i get >> >> Failed to parse result: Insufficient access rights >> >> however, i can get the keytab without the -r option. >> >> anyone care to explain what access rights are required (or why this >> error occurs)? > > Being able to retrieve an existing key means being able to read it which > isn't granted by default. ok, but why is a "regular" ipa-getkeytab no problem? > > It depends on how you want to grant this access: to this one user, to > all users, to groups, etc. i only need to get the user keytab on a few machines; i could probably scp it from one host to the other. but i assumed that ipa-getkeytab -r would do the same. > > The attribute you want is ipaProtectedOperation;read_keys but use it > very carefully because you are granting read access to keys. ok, i'll try to read a bit more about it first. stijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] user keytab retrieval
Stijn De Weirdt wrote: > hi all, > > (this is IPA 4.4.0-14.el7.centos.4) > > i'm a bit puzzled by the following: i want to retrieve a user keytab > using ipa-getkeytab -r (since the keytab for the same user was already > retrieved on another host). > > when doing so, i get > > Failed to parse result: Insufficient access rights > > however, i can get the keytab without the -r option. > > anyone care to explain what access rights are required (or why this > error occurs)? Being able to retrieve an existing key means being able to read it which isn't granted by default. It depends on how you want to grant this access: to this one user, to all users, to groups, etc. The attribute you want is ipaProtectedOperation;read_keys but use it very carefully because you are granting read access to keys. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] user keytab retrieval
hi all, (this is IPA 4.4.0-14.el7.centos.4) i'm a bit puzzled by the following: i want to retrieve a user keytab using ipa-getkeytab -r (since the keytab for the same user was already retrieved on another host). when doing so, i get Failed to parse result: Insufficient access rights however, i can get the keytab without the -r option. anyone care to explain what access rights are required (or why this error occurs)? many thanks, stijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project