#6993 certauth: use canonical principal for lookups
Closed: fixed 6 years ago Opened 6 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1457942

Description of problem:
Currently the certauth plugin use the unmodified principal from the request to
lookup the user. This might fial if e.g. enterprise principals are use.

On the client:
    kinit -E -X X509_user_identity=.... scuser@IPAF25.DEVEL
In krb5kdc.log:
    M?r 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): Doing
certauth authorize for [scuser\@IPAF25.DEVEL@IPAF25.DEVEL]
M?r 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): Got cert
filter [(...)]
M?r 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): No matching
entry found
M?r 22 11:09:12 ipa-devel-f25.ipaf25.devel krb5kdc[26868](info): preauth
(pkinit) verify failure: Certificate mismatch


To not fail the canonical principal which is also available in the certauth
plugin should be used.

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1457942

6 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1457942

6 years ago

Metadata Update from @sbose:
- Issue assigned to sbose

6 years ago

Metadata Update from @sbose:
- Issue set to the milestone: None

6 years ago

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.2

6 years ago

master:

  • 117d6e9 ipa-kdb: use canonical principal in certauth plugin

ipa-4-5:

  • e8d8aab ipa-kdb: use canonical principal in certauth plugin

Metadata Update from @mbasti:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Login to comment on this ticket.

Metadata