#7513 Allow Kerberos services to be members of IPA groups
Closed: fixed 6 years ago Opened 6 years ago by abbra.

Kerberos service principals in FreeIPA cannot be members of IPA groups. As result, it is not possible to grant a retrieval of a service keytab to another service.

Allow services to be members of the groups, like users and other groups can already be.

This is required for use cases where such services aren't associated with a particular host (and thus, the host object cannot be used to retrieve the keytabs) but represent purely client Kerberos principals to use in a dynamically generated environment such as Kubernetes.


Metadata Update from @fbarreto:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.8

6 years ago

Metadata Update from @rcritten:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.8)

6 years ago

master:

  • 9e8fb94 service: allow creating services without a host to manage them
  • e642865 group: allow services as members of groups

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Log in to comment on this ticket.

Metadata