Kerberos service principals in FreeIPA cannot be members of IPA groups. As result, it is not possible to grant a retrieval of a service keytab to another service.
Allow services to be members of the groups, like users and other groups can already be.
This is required for use cases where such services aren't associated with a particular host (and thus, the host object cannot be used to retrieve the keytabs) but represent purely client Kerberos principals to use in a dynamically generated environment such as Kubernetes.
Metadata Update from @fbarreto: - Issue priority set to: normal - Issue set to the milestone: FreeIPA 4.8
Metadata Update from @rcritten: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.8)
master:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.