[Freeipa-users] Some questions regarding IPA, DNS and Samba4

Simo Sorce simo at redhat.com
Thu Aug 4 14:47:32 UTC 2011


On Thu, 2011-08-04 at 10:43 -0400, Dmitri Pal wrote:
> On 08/04/2011 10:28 AM, Simo Sorce wrote:
> > On Thu, 2011-08-04 at 10:25 -0400, Dmitri Pal wrote:
> >> On 08/04/2011 03:52 AM, Ondrej Valousek wrote: 
> >>> On 03.08.2011 23:52, Dmitri Pal wrote: 
> >>>> But this has not been even filed as an enhancement as no one cared about
> >>>> such functionality until now.
> >>>>
> >>>> What is your use case for this functionality?
> >>> Actually, I do not need such a functionality. I was asking because I
> >>> know Windows rotate keytabs so I was expecting IPA might as well.
> >>> I guess there is no big press for it now but I would say in general
> >>> we should support it as well - for security reasons if not for
> >>> anything else.
> >>>
> >> I created a BZ. I am not sure certmonger is the right component
> >> https://bugzilla.redhat.com/show_bug.cgi?id=728263
> >> But at least it will be on the plate of the right person to make the
> >> decision and propose alternative approaches. 
> > SSSD is probably a more appropriate component for keytabs, given in the
> > IPA case it is a primary user of the keytab for validation purposes.
> >
> > Simo.
> >
> Yes. May be it is SSSD. But may be the kerberos library should have a
> way to rotate keytabs over the kerberos protocol?

Yes it is called a password change technically :)

> That would be even better as key rotation would then become a centrally
> managed policy rather than triggered by a client.

You cannot do it outside of a client, only the client has the original
key to do (and be able to receive on a secure channel) the password
change.

> The BZ will help me not to forget to start a broader discussion on the
> matter when time comes.

Ok.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-users mailing list