The new getkeytab interface uses ACIs based on the ipaProtectedoperation attribute.
The "Manage Host Keytab" Permission should be changed to also use the getkeytab operation in addition to the classic permission to write krbPrincipalKey, in order to allow new clients to use the getkeytab operation in preference.
Eventually we should drop support for setkeytab completely, but this is the first step to get there.
See also: https://fedorahosted.org/freeipa/ticket/5485
Metadata Update from @simo: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Login to comment on this ticket.