cert-request checks krb5PrincipalName SAN OtherName for match against the target principal to whom the certificate is being issued, however, it fails when it should not.
For example, for principal alice in domain IPA.LOCAL, if the principal is specified on the command line as `alice', the command fails with message:
ftweedal% ipa cert-request alice-k5pn.req --principal alice ipa: ERROR: Insufficient access: Principal 'alice@IPA.LOCAL' in subject alt name does not match requested principal
attachment freeipa-ftweedal-0036-Fix-KRB5PrincipalName-UPN-SAN-comparison.patch
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1252517
master:
ipa-4-2:
Metadata Update from @ftweedal: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.