hi all,
i'm trying to retrieve an existing keytab from a user on a second host. ipa-getkeytab on a first host worked fine.
but when i try to retrieve the keytab (using -r option) i get a "Insufficient access rights" error (even when using admin credentials)
i looked into "ipa service-allow-retrieve-keytab", but it does not accept the user principal (pretty normal since it's not a service i guess).
hints welcome!
stijn
On 12/15/2017 12:52 PM, Stijn De Weirdt via FreeIPA-users wrote:
hi all,
i'm trying to retrieve an existing keytab from a user on a second host. ipa-getkeytab on a first host worked fine.
but when i try to retrieve the keytab (using -r option) i get a "Insufficient access rights" error (even when using admin credentials)
i looked into "ipa service-allow-retrieve-keytab", but it does not accept the user principal (pretty normal since it's not a service i guess).
hints welcome!
stijn _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
if I recall correctly, cn=Directory Manager is the only user that can retrieve a keytab for a user. ipa-getkeytab -D "cn=Directory Manager" -w $PASSWORD ... should work.
And you are right, the CLI ipa {host|service}-allow-retrieve-keytab will assign rights to retrieve a host or service keytab, but not a user keytab.
Flo
hi flo,
thanks a lot, using directory manager works.
when did this change? i remember doing this several months ago, i can't remember i had to do anything special back then?
in any case, thanks again
stijn
On 12/15/2017 02:32 PM, Florence Blanc-Renaud wrote:
On 12/15/2017 12:52 PM, Stijn De Weirdt via FreeIPA-users wrote:
hi all,
i'm trying to retrieve an existing keytab from a user on a second host. ipa-getkeytab on a first host worked fine.
but when i try to retrieve the keytab (using -r option) i get a "Insufficient access rights" error (even when using admin credentials)
i looked into "ipa service-allow-retrieve-keytab", but it does not accept the user principal (pretty normal since it's not a service i guess).
hints welcome!
stijn _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
if I recall correctly, cn=Directory Manager is the only user that can retrieve a keytab for a user. ipa-getkeytab -D "cn=Directory Manager" -w $PASSWORD ... should work.
And you are right, the CLI ipa {host|service}-allow-retrieve-keytab will assign rights to retrieve a host or service keytab, but not a user keytab.
Flo
freeipa-users@lists.fedorahosted.org