[Freeipa-users] Re: Constrained delegation for host/service principals broken on RHEL 8 servers?

Wed, 06 Sep 2023 04:51:52 -0700 

On Аўт, 05 вер 2023, Sam Morris wrote:

On Tue, Sep 05, 2023 at 07:22:51PM +0100, Sam Morris via FreeIPA-users wrote:

On Tue, Sep 05, 2023 at 08:14:28PM +0300, Alexander Bokovoy via FreeIPA-users 
wrote:
> Since you are saying it started after May 2023, that might be actually
> the 4.9.11 change. This would affect services which have no constrained
> delegation rules on defined.

I guess that explains why, if I kinit with e.g.
host/ipa3.ipa.example.com, I can make IPA API calls just fine. It's only
if I kinit as a non IPA server host or service do I see these errors.


Actually there could be something else going on here.

I wanted to see what would happen if I copied the keytab for
HTTP/hitron-exporter.ipa.example.com to ipa5 and ipa6, and ran kinit
over there, then copied the ccaches from the servers back to xoanon, and
used each of them to run 'ipa -d user-show admin'.

This would tell me if there was something particular about the
credentials cache generated by running kinit on xoanon as opposed to
either of the IPA servers.

Unfortunately what I've found is that I can now no longer reproduce the
constrained delegation request failures!

I tried re-running the original 'getcert resubmit' command that sent me
down this rabbit hole and... it also worked.

So I'm now really confused... I didn't change the configuration on any
IPA server while working on the above, or even restart any services--the
RHEL 8 IPA servers just started to issue the tickets via the API
server's constrained delegation requests seemingly without any further
intervention from me...


It would help to see logs (krb5kdc.log) from RHEL8 servers for this
communication, both on ipa5/ipa6 and back to xoanon.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to