[Freeipa-users] Re: Disabling "kinit admin" on all machines

On ke, 28 huhti 2021, Dominik Vogt via FreeIPA-users wrote:

What is the correct way to disable "kinit admin" on all ipa clients? In our setup, becoming admin should only possible on the ipa server. (Everything is done by scripts runn through ssh; nobody ever logs in to the server directly.)

Kerberos principals for users are not tied to specific hosts. There is also nothing that does explicit 'kinit admin' unless you do it yourself.

Anyone who is in possesion of 'admin' account password can ask to obtain a Kerberos ticket for this principal. There are no specific limitations to hosts where this could happen.