IPA 4.5.0-5.el7 gssproxy 0.7.0-3.el7
IPA configured for WebUI certificate authentication, with a user entry demoCert containing a user certificate delivered by IPA CA Web UI certificate authentication stops working when an AD trust is configured. The web page shows: Authentication with personal certificate failed
httpd error_log displays:
[Tue Apr 11 08:09:33.787693 2017] [auth_gssapi:error] [pid 44111] [client 10.36.116.124:50694] GSS ERROR In S4U2Self: gss_acquire_cred_impersonate_name(): [A required input parameter could not be read, No credentials were supplied, or the credentials were unavailable or inaccessible (Unknown error)] [Tue Apr 11 08:09:33.791505 2017] [:error] [pid 44109] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Tue Apr 11 08:09:33.791853 2017] [:error] [pid 44109] ipa: DEBUG: WSGI login_x509.__call__: [Tue Apr 11 08:09:33.792102 2017] [:error] [pid 44109] ipa: INFO: 401 Unauthorized: KRB5CCNAME not set
krb5.kdc log:
Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): TGS_REQ : handle_authdata (-1765328240) Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.34.58.20: HANDLE_AUTHDATA: authtime 1491839345, HTTP/ipaserver.example.com@EXAMPLE.COM for HTTP/ipaserver.example.com@EXAMPLE.COM, Wrong principal in request Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): ... PROTOCOL-TRANSITION s4u-client=democert@EXAMPLE.COM Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): closing down fd 11
Fix: https://github.com/freeipa/freeipa/pull/709
Tested by @frenaud
Metadata Update from @simo: - Issue assigned to simo
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1441316
Issue linked to bug 1441316
Triaging based on conversation with Simo and Flo.
Metadata Update from @pvoborni: - Issue priority set to: blocker - Issue set to the milestone: FreeIPA 4.5.1 - Issue tagged with: bug
ipa-4-5:
b511407 Fix s4u2self with adtrust master:
e88d5e8 Fix s4u2self with adtrust
Metadata Update from @pvomacka: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.