[Freeipa-users] Re: Allowing a user to manage a service's certificates

Mon, 16 May 2022 05:05:28 -0700 

On 15/05/2022 17:21, Sam Morris wrote:

     $ http -f https://ipa0.example.qq/ipa/session/login_password 
user=host/authtest.example.qq 'password=<new password>'


Well, this is strange. The above was tested on my home setup (FreeIPA
4.9.8 on RHEL 8). But at work (FreeIPA 4.6.8 on RHEL 7) when I make the
call to log in to the API, I recieve (unimportant headers skipped
because I'm typing this by hand):

    401 Unauthorized
    X-IPA-Rejection-Reason: invalid-password

    <strong>kinit: Client 'host\/authtest.example...@example.qq' not
    found in Kerberos database while getting initial credentials
    </strong>

I've traced this to a difference in the behaviour between RHEL 8 vs RHEL
7. On both systems, the FreeIPA API runs the same command:

    /usr/bin/kinit host/authtest.example.qq -c [ccache path] -T [armor ccache 
path] -E

On the RHEL 8 server, this works. On the RHEL 7 server, the command
fails before prompting for a password. The error message is the same as
the one returned to the client above. /var/log/krb5kdc.log has:

    AS_REQ (...) <IP>: CLIENT_NOT_FOUND: host\/authtest.example...@example.qq 
for krb5tgt/example...@example.qq, Client not found in Kerberos database

The culprit appears to be the -E option, as when I run kinit without
it, authentication works fine.

It's possible there's some other configuration difference between work
and home that I'm not seeing. Unless you can think of anything, I guess
I need to finally get around to setting up new IdM servers on RHEL 9...
:)

--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure






















					Reply via email to