Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1457942
Description of problem: Currently the certauth plugin use the unmodified principal from the request to lookup the user. This might fial if e.g. enterprise principals are use. On the client: kinit -E -X X509_user_identity=.... scuser@IPAF25.DEVEL In krb5kdc.log: M?r 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): Doing certauth authorize for [scuser\@IPAF25.DEVEL@IPAF25.DEVEL] M?r 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): Got cert filter [(...)] M?r 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): No matching entry found M?r 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): preauth (pkinit) verify failure: Certificate mismatch To not fail the canonical principal which is also available in the certauth plugin should be used.
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1457942
Metadata Update from @sbose: - Issue assigned to sbose
https://github.com/freeipa/freeipa/pull/841
Metadata Update from @sbose: - Issue set to the milestone: None
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.2
master:
ipa-4-5:
Metadata Update from @mbasti: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.