On Tue, Sep 05, 2023 at 08:14:28PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
Since you are saying it started after May 2023, that might be actually the 4.9.11 change. This would affect services which have no constrained delegation rules on defined.
I guess that explains why, if I kinit with e.g. host/ipa3.ipa.example.com, I can make IPA API calls just fine. It's only if I kinit as a non IPA server host or service do I see these errors.
Can you please give exact versions of krb5 and ipa packages?
That would be:
krb5-server-1.18.2-25.el8_8.x86_64 ipa-server-4.9.11-6.module+el8.8.0+19022+e8902f4b.x86_64