Thx a lot. So we will export keytabs for our AD users.
Micha
Am 23.11.18 um 16:25 schrieb Alexander Bokovoy via FreeIPA-users:
Not possible in centos 7.
Possible in RHEL8 beta.
(Sorry for being short, I'm on the phone)
----- Michael Gusek via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
wrote:
> Hi,
>
> we are running FreeIPA 4.5.4 on Centos 7 with a one way trust to an
> Active Directory. We want to allow AD users to retrieve service keytab
> on FreeIPA managed hosts. AD users are linked to a external group, and
> these group to a FreeIPA group. We've created a service and allowed
> FreeIPA group (for testing external group too) to retrieve keytab. Now
> we logged in with AD credentials to a FreeIPA managed host, got an
> ticket with kinit user@AD-domain and tried to retrieve keytab for
> service, which runs in an error "Failed to parse result: Insufficient
> access rights". With an FreeIPA user, added to FreeIPA group above, it
> works.
>
> So what we are missing here ? Is it possible to retrieve service keytabs
> as a trusted AD user ?
>
> Thanks.
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... --
________________________________________________
*Michael**Gusek*| System Administrator| Webtrekk GmbH |
*t*+49 30 755 415 302| *f *+49 30 755 415 100 | *w *www.webtrekk.com
<
https://www.webtrekk.com/?wt_mc=signature.-.-.-.homepageURL>
Amtsgericht/Local Court Berlin, HRB 93435 B | Geschäftsführer/CEO
Christian Sauer und Norman Wahnschaff