[description of the issue] AD user's Kerberos credentials cannot be used to access IPA API and throws internal error and traceback.
Steps to Reproduce: 1: Establish trust with : --range-type=ipa-ad-trust --two-way=True 2: kdestroy -A 3: kinit administrator@AD.TEST 4: ssh -o StrictHostKeyChecking=no -K -l administrator@ad.test ipa.internal.test 5: klist -l 6: ipa trust-find
Actual behavior: ipa: ERROR: cannot connect to 'https://ipaqavma.internal.test/ipa/json': Internal Server Error
Expected behavior: IPA API should be successful from AD user
Version Affected: ipa-server-4.7.1-7.module+el8+2555+b334d87b.x86_64 ipa-client-4.7.1-7.module+el8+2555+b334d87b.x86_64 389-ds-base-1.4.0.20-1.module+el8+2553+e9a4c637.x86_64 pki-ca-10.6.8-1.module+el8+2277+f150bc67.noarch krb5-server-1.16.1-19.el8.x86_64
The expected fix should actually be a better recovery from the error. Since we cannot really execute operations as a user from a trusted domain over IPA API unless there is an ID override for this user in the default trust view, a message should be shown that makes clear to the user 'ipa CLI' is not enabled for him/her.
Metadata Update from @abbra: - Issue set to the milestone: FreeIPA 4.6
I think it should be reproducible in 4.6 (and even in 4.4) because we added idoverride mapping for GSSAPI in LDAP with ticket https://pagure.io/freeipa/issue/2149
Login to comment on this ticket.