mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
00f8ddbfd2
If default user authentication type is set to a list that does not include a password or a hardened credential, the resulting configuration might be incorrect for special service principals, including a krbtgt/.. one. Add detection of special principals to avoid these situations and always allow password or hardened for services. Special handling is needed for the following principals: - krbtgt/.. -- TGT service principals - K/M -- master key principal - kadmin/changepw -- service for changing passwords - kadmin/kadmin -- kadmin service principal - kadmin/history -- key used to encrypt history Additionally, implicitly allow password or hardened credential use for IPA services and IPA hosts since applications typically use keytabs for that purpose. Fixes: https://pagure.io/freeipa/issue/9485 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com>