On 15/05/2022 17:21, Sam Morris wrote:
$ http -f https://ipa0.example.qq/ipa/session/login_password user=host/authtest.example.qq 'password=<new password>'
Well, this is strange. The above was tested on my home setup (FreeIPA 4.9.8 on RHEL 8). But at work (FreeIPA 4.6.8 on RHEL 7) when I make the call to log in to the API, I recieve (unimportant headers skipped because I'm typing this by hand): 401 Unauthorized X-IPA-Rejection-Reason: invalid-password <strong>kinit: Client 'host\/authtest.example...@example.qq' not found in Kerberos database while getting initial credentials </strong> I've traced this to a difference in the behaviour between RHEL 8 vs RHEL 7. On both systems, the FreeIPA API runs the same command: /usr/bin/kinit host/authtest.example.qq -c [ccache path] -T [armor ccache path] -E On the RHEL 8 server, this works. On the RHEL 7 server, the command fails before prompting for a password. The error message is the same as the one returned to the client above. /var/log/krb5kdc.log has: AS_REQ (...) <IP>: CLIENT_NOT_FOUND: host\/authtest.example...@example.qq for krb5tgt/example...@example.qq, Client not found in Kerberos database The culprit appears to be the -E option, as when I run kinit without it, authentication works fine. It's possible there's some other configuration difference between work and home that I'm not seeing. Unless you can think of anything, I guess I need to finally get around to setting up new IdM servers on RHEL 9... :) -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure