Currently, in the com.redhat.idm.trust-fetch-domains, we chown the retrieved keytab to the sssd user:
# Make sure SSSD is able to read the keytab sssd = pwd.getpwnam('sssd') os.chown(oneway_keytab_name, sssd[2], sssd[3])
However, if sssd user does not exist, sssd is not running under the sssd user (and therefore cannot access the keytab). We should use root:root in such case.
master:
ipa-4-2:
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1246132
Metadata Update from @tbabej: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.