On Tue, Sep 05, 2023 at 07:22:51PM +0100, Sam Morris via FreeIPA-users wrote: > On Tue, Sep 05, 2023 at 08:14:28PM +0300, Alexander Bokovoy via FreeIPA-users > wrote: > > Since you are saying it started after May 2023, that might be actually > > the 4.9.11 change. This would affect services which have no constrained > > delegation rules on defined. > > I guess that explains why, if I kinit with e.g. > host/ipa3.ipa.example.com, I can make IPA API calls just fine. It's only > if I kinit as a non IPA server host or service do I see these errors.
Actually there could be something else going on here. I wanted to see what would happen if I copied the keytab for HTTP/hitron-exporter.ipa.example.com to ipa5 and ipa6, and ran kinit over there, then copied the ccaches from the servers back to xoanon, and used each of them to run 'ipa -d user-show admin'. This would tell me if there was something particular about the credentials cache generated by running kinit on xoanon as opposed to either of the IPA servers. Unfortunately what I've found is that I can now no longer reproduce the constrained delegation request failures! I tried re-running the original 'getcert resubmit' command that sent me down this rabbit hole and... it also worked. So I'm now really confused... I didn't change the configuration on any IPA server while working on the above, or even restart any services--the RHEL 8 IPA servers just started to issue the tickets via the API server's constrained delegation requests seemingly without any further intervention from me... Argh! > > Can you please give exact versions of krb5 and ipa packages? > > That would be: > > krb5-server-1.18.2-25.el8_8.x86_64 > ipa-server-4.9.11-6.module+el8.8.0+19022+e8902f4b.x86_64 For the record, on xoanon the IPA client I have: krb5-workstation-1.18.2-25.el8_8.x86_64 ipa-client-4.9.11-5.module+el8.8.0+18147+84fe6ec1.x86_64 -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue