Hello,
when a client has no forwardable ticket
The client cannot sso to the ipa web ui. In the ipa httpd error log i see this message: login_kerberos: KRB5CCNAME not defined in HTTP request environment
Which gives no clue about the option on the client side. Maybe a hint would be nice something like: KRB5CCNAME not defined in HTTP request environment, make sure you have the forwardable = yes option in the krb5.conf on the client side.
With kind regards, William
ab william_home: I've just tried it with 4.1.1[[br]] ab william_home: we behave better there[[br]] ab when I issue a ticket without forwardable bit, you just cannot login with Kerberos[[br]] ab but you can login with password[[br]] ab I think it will fail if you remove forwardable from the [libdefaults] on IPA master[[br]] william_home ab: I can do that to[[br]] william_home but i expected sso to the webpage after configuring firefox and getting a ticket with kinit[[br]] william_home but i only get the message that i could not logon with kerberos and the error in the httpd.conf[[br]] william_home uhh logging[[br]] ab yeah[[br]] ab I'm not saying this is not an issue, but giving an error message 'your ticket was not recognized, maybe it is not forwardable?' would be better[[br]] william_home so it works as expected only the error message on the server could be expanded with a hint to "check the client krb5.conf for the forwardable = yes option"[[br]] william_home yes indeed[[br]]
Why do we need forwardable ticket? We should be using s4u2proxy since 2.1. It does not require TGT. If it does not work we have a much bigger problem and it is a regression.
S4U2proxy requires that the ticket to the first service has the forwardable flag set. See http://msdn.microsoft.com/en-us/library/cc246079.aspx
Ah, OK so I am confusing forwardable and ok_to_delegate?
Yes. We no longer set GSS_C_DELEG_FLAG in our client framework (unless an option is provided).
Processing 4.2 backlog. This ticket was found as something that is not a priority for the nearest releases.
But as usual, please feel free to discuss your use cases or contribute patches, to make that happen sooner!
Metadata Update from @cobradevil: - Issue assigned to someone - Issue set to the milestone: Future Releases
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.