It looks like for some cases we do not have proper set up keytab retrieval configuration in the old trusted domain object. This mostly affects two-way trust cases. In such cases, we need to create default configuration as ipasam would have created when the trust was established.
Recently we migrated old style trusted domain objects to a new style to support one-way trust with a shared secret. We had to change that all configurations do use trusted domain object credentials instead of relying on a working cross-realm trust ticket in two-way trust case. The latter helps us against tightening of unconditional ticket delegation across cross-forest trust (after https://support.microsoft.com/en-us/help/4490425/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server) which would have prevented RHEL IdM trust to AD otherwise working for two-way trust at all.
I submitted a pull request upstream that adds a default access control to new objects: https://github.com/freeipa/freeipa/pull/3643
Metadata Update from @abbra: - Issue assigned to abbra
master:
ipa-4-8:
Metadata Update from @tdudlak: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-7:
ipa-4-6:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1751707
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1750700 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1751707)
Issue linked to Bugzilla: Bug 1750700
Login to comment on this ticket.