hi all, we are looking how to configure whatever relevant policy to minimise the impact of compromised IPA hosts (ie servers with a valid host keytab).
in particular, it looks like it possible to retrieve any user token once you have access to a valid host keytab. we're aware that the default IPA policies are wide open, but we are looking how to limit this. for us, there's no need that a hostkeytab can retrieve tokens for anything except the services on that host. stijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
