#7818 When AD user has no ID override defined, the user's Kerberos credentials cannot be used to access IPA API
Opened 2 years ago by amore. Modified 2 years ago

[description of the issue]
AD user's Kerberos credentials cannot be used to access IPA API and throws internal error and traceback.

Steps to Reproduce:
1: Establish trust with : --range-type=ipa-ad-trust --two-way=True
2: kdestroy -A
3: kinit administrator@AD.TEST
4: ssh -o StrictHostKeyChecking=no -K -l administrator@ad.test ipa.internal.test
5: klist -l
6: ipa trust-find

Actual behavior:
ipa: ERROR: cannot connect to 'https://ipaqavma.internal.test/ipa/json': Internal Server Error

Expected behavior:
IPA API should be successful from AD user

Version Affected:

The expected fix should actually be a better recovery from the error. Since we cannot really execute operations as a user from a trusted domain over IPA API unless there is an ID override for this user in the default trust view, a message should be shown that makes clear to the user 'ipa CLI' is not enabled for him/her.

Metadata Update from @abbra:
- Issue set to the milestone: FreeIPA 4.6

2 years ago

I think it should be reproducible in 4.6 (and even in 4.4) because we added idoverride mapping for GSSAPI in LDAP with ticket https://pagure.io/freeipa/issue/2149

Login to comment on this ticket.