The setkeytab extended operation has been superseeded by the getkeytab extended operation.
Add an option to allow disabling it, but set the current default to allow it, as this old method is still needed for older clients.
We just need the plumbing in place so that in future, we can flip the default to off and then "old" servers will understand it and turn this feature off too.
See also: https://fedorahosted.org/freeipa/ticket/5487
The ability to disable setkeytab for just users will also allow a staged approach, uses do not generally need to get keytabs.
The proposal is to have 2 options:
New defaults would be: DisableSetKeytab is not set, while DisableUserSetKeytab is set.
Metadata Update from @simo:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 4.5 backlog
to comment on this ticket.