#7818 When AD user has no ID override defined, the user's Kerberos credentials cannot be used to access IPA API
Opened 5 years ago by amore. Modified 5 years ago

[description of the issue]
AD user's Kerberos credentials cannot be used to access IPA API and throws internal error and traceback.

Steps to Reproduce:
1: Establish trust with : --range-type=ipa-ad-trust --two-way=True
2: kdestroy -A
3: kinit administrator@AD.TEST
4: ssh -o StrictHostKeyChecking=no -K -l administrator@ad.test ipa.internal.test
5: klist -l
6: ipa trust-find

Actual behavior:
ipa: ERROR: cannot connect to 'https://ipaqavma.internal.test/ipa/json': Internal Server Error

Expected behavior:
IPA API should be successful from AD user

Version Affected:
ipa-server-4.7.1-7.module+el8+2555+b334d87b.x86_64
ipa-client-4.7.1-7.module+el8+2555+b334d87b.x86_64
389-ds-base-1.4.0.20-1.module+el8+2553+e9a4c637.x86_64
pki-ca-10.6.8-1.module+el8+2277+f150bc67.noarch
krb5-server-1.16.1-19.el8.x86_64


The expected fix should actually be a better recovery from the error. Since we cannot really execute operations as a user from a trusted domain over IPA API unless there is an ID override for this user in the default trust view, a message should be shown that makes clear to the user 'ipa CLI' is not enabled for him/her.

Metadata Update from @abbra:
- Issue set to the milestone: FreeIPA 4.6

5 years ago

I think it should be reproducible in 4.6 (and even in 4.4) because we added idoverride mapping for GSSAPI in LDAP with ticket https://pagure.io/freeipa/issue/2149

Login to comment on this ticket.

Metadata