On Аўт, 05 вер 2023, Sam Morris wrote:
On Tue, Sep 05, 2023 at 07:22:51PM +0100, Sam Morris via FreeIPA-users wrote:
On Tue, Sep 05, 2023 at 08:14:28PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
Since you are saying it started after May 2023, that might be actually the 4.9.11 change. This would affect services which have no constrained delegation rules on defined.
I guess that explains why, if I kinit with e.g. host/ipa3.ipa.example.com, I can make IPA API calls just fine. It's only if I kinit as a non IPA server host or service do I see these errors.
Actually there could be something else going on here.
I wanted to see what would happen if I copied the keytab for HTTP/hitron-exporter.ipa.example.com to ipa5 and ipa6, and ran kinit over there, then copied the ccaches from the servers back to xoanon, and used each of them to run 'ipa -d user-show admin'.
This would tell me if there was something particular about the credentials cache generated by running kinit on xoanon as opposed to either of the IPA servers.
Unfortunately what I've found is that I can now no longer reproduce the constrained delegation request failures!
I tried re-running the original 'getcert resubmit' command that sent me down this rabbit hole and... it also worked.
So I'm now really confused... I didn't change the configuration on any IPA server while working on the above, or even restart any services--the RHEL 8 IPA servers just started to issue the tickets via the API server's constrained delegation requests seemingly without any further intervention from me...
It would help to see logs (krb5kdc.log) from RHEL8 servers for this communication, both on ipa5/ipa6 and back to xoanon.