hi rob, >> i'm a bit puzzled by the following: i want to retrieve a user keytab >> using ipa-getkeytab -r (since the keytab for the same user was already >> retrieved on another host). >> >> when doing so, i get >> >> Failed to parse result: Insufficient access rights >> >> however, i can get the keytab without the -r option. >> >> anyone care to explain what access rights are required (or why this >> error occurs)? > > Being able to retrieve an existing key means being able to read it which > isn't granted by default. ok, but why is a "regular" ipa-getkeytab no problem?
> > It depends on how you want to grant this access: to this one user, to > all users, to groups, etc. i only need to get the user keytab on a few machines; i could probably scp it from one host to the other. but i assumed that ipa-getkeytab -r would do the same. > > The attribute you want is ipaProtectedOperation;read_keys but use it > very carefully because you are granting read access to keys. ok, i'll try to read a bit more about it first. stijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project