CustodiaClient attempts to acquire initiator credentials with the hostbased_service nametype. This hits a tricky corner case in Kerberos with respect to canonicalization, and we can easily avoid it. See https://github.com/krb5/krb5/pull/1154 for some more information.
hostbased_service
dns_canonicalize_hostname = fallback
Custodia connection will fail with:
Configuring ipa-custodia [1/4]: Generating ipa-custodia config file [2/4]: Generating ipa-custodia keys [3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot Done configuring ipa-custodia. Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. Major (458752): No credentials were supplied, or the credentials were unavailable or inaccessible, Minor (2529639107): No credentials cache found The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information [root@replica secrets]#
Ideally, a replica.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server freeipa-server-4.9.0-1.fc34.x86_64 freeipa-client-4.9.0-1.fc34.x86_64 package ipa-server is not installed package ipa-client is not installed 389-ds-base-2.0.1-999.fc34.x86_64 pki-ca-10.10.0-2.fc34.noarch krb5-server-1.19-0.beta2.1.fc34.x86_64
Patch forthcoming.
PR: https://github.com/freeipa/freeipa/pull/5452
Issue will be resolved in krb5 instead; closing.
Metadata Update from @rharwood: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.