[Freeipa-devel] [PATCH] Fix password/random logic in host plugin.
Rob Crittenden
rcritten at redhat.com
Wed Jan 19 21:01:53 UTC 2011
Simo Sorce wrote:
> On Wed, 19 Jan 2011 15:22:22 -0500
> Dmitri Pal<dpal at redhat.com> wrote:
>
>> I though that enrollment is based only on presence of the keytab.
>
> By keytab I guess you mean the krbPrincipalKey attribute.
> The presence of that attribute is unknown to all users except
> cn=Directory Manager and uid=kdc, so no user can check for it's
> presence as our aci prevent any access for reading (and rightly so).
>
> I think the krbPrincipalNAme attribute was used to check if kerberos
> credentials were assigned.
>
> Simo.
>
Yes, that's right. We also use krbLastPwdChange for this purpose but the
krbPrincipalName work predated this.
We might need to revisit what I originally did which is why I think the
patch is ok for now. For now, at least as far as I can tell, it just
causes a strange message in ipa-join.
rob
More information about the Freeipa-devel
mailing list