[description of the issue]
AD user's Kerberos credentials cannot be used to access IPA API and throws internal error and traceback.
Steps to Reproduce:
1: Establish trust with : --range-type=ipa-ad-trust --two-way=True
2: kdestroy -A
3: kinit administrator@AD.TEST
4: ssh -o StrictHostKeyChecking=no -K -l email@example.com ipa.internal.test
5: klist -l
6: ipa trust-find
ipa: ERROR: cannot connect to 'https://ipaqavma.internal.test/ipa/json': Internal Server Error
IPA API should be successful from AD user
The expected fix should actually be a better recovery from the error. Since we cannot really execute operations as a user from a trusted domain over IPA API unless there is an ID override for this user in the default trust view, a message should be shown that makes clear to the user 'ipa CLI' is not enabled for him/her.
Metadata Update from @abbra:
- Issue set to the milestone: FreeIPA 4.6
I think it should be reproducible in 4.6 (and even in 4.4) because we added idoverride mapping for GSSAPI in LDAP with ticket https://pagure.io/freeipa/issue/2149
to comment on this ticket.