Hello, on freeipa-server-4.4.4-1.fc25.x86_64, admin can generate and retrieve new keytab for a service but they cannot retrieve the existing keys with the -r option. Is that expected?
# kdestroy -A # kinit admin Password for ad...@example.test: # ipa host-add test1.example.test --force ------------------------------- Added host "test1.example.test" ------------------------------- Host name: test1.example.test Principal name: host/test1.example.t...@example.test Principal alias: host/test1.example.t...@example.test Password: False Keytab: False Managed by: test1.example.test # ipa service-add HTTP/test1.example.test --force ---------------------------------------------------- Added service "HTTP/test1.example.t...@example.test" ---------------------------------------------------- Principal name: HTTP/test1.example.t...@example.test Principal alias: HTTP/test1.example.t...@example.test Managed by: test1.example.test # ipa-getkeytab -p HTTP/test1.example.test -k /tmp/http.keytab Keytab successfully retrieved and stored in: /tmp/http.keytab # ipa-getkeytab -r -p HTTP/test1.example.test -k /tmp/http.keytab.1 Failed to parse result: Insufficient access rights Failed to get keytab # -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project