On ma, 05 huhti 2021, Peter Tselios via FreeIPA-users wrote:
I cannot see the reply in the web, so, maybe I missed something.
I saw recently some issues with deduplication so haven't seen my
responses on several lists as well.
My response, however, did go to your personal email as CC: too.
The fact that I need to authenticate in order to retrieve the keytab
is obvious.
Maybe in my OP I focused too much on the authentication method, but for
me, the most important issue is the lack of API call (and yes, I plan
to submit an RFE for this). The GSSAPI support is very interesting and
I will investigate it further; it looks very promising.
Regarding an RFE, depending where you want to file it, I think we'll
reject it.
Adding a keytab retrieval to IPA API is not going to provide any
security on top of ipa-getkeytab use. In fact, it is actually will
reduce that because now one more party would have a key content beyond
LDAP server response to ipa-getkeytab request. This is certainly not
going to be accepted.
If you want to have ansible-freeipa support for ipa-getkeytab, that is a
different story. I think it should be added there, indeed. It would
require a full (free)ipa-client package installation, not just
python3-ipalib, though.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland