On 15/05/2022 17:21, Sam Morris wrote:
$ http -f
https://ipa0.example.qq/ipa/session/login_password
user=host/authtest.example.qq 'password=<new password>'
Well, this is strange. The above was tested on my home setup (FreeIPA
4.9.8 on RHEL 8). But at work (FreeIPA 4.6.8 on RHEL 7) when I make the
call to log in to the API, I recieve (unimportant headers skipped
because I'm typing this by hand):
401 Unauthorized
X-IPA-Rejection-Reason: invalid-password
<strong>kinit: Client 'host\/authtest.example.qq(a)EXAMPLE.QQ' not
found in Kerberos database while getting initial credentials
</strong>
I've traced this to a difference in the behaviour between RHEL 8 vs RHEL
7. On both systems, the FreeIPA API runs the same command:
/usr/bin/kinit host/authtest.example.qq -c [ccache path] -T [armor ccache path] -E
On the RHEL 8 server, this works. On the RHEL 7 server, the command
fails before prompting for a password. The error message is the same as
the one returned to the client above. /var/log/krb5kdc.log has:
AS_REQ (...) <IP>: CLIENT_NOT_FOUND: host\/authtest.example.qq(a)EXAMPLE.QQ for
krb5tgt/EXAMPLE.QQ(a)EXAMPLE.QQ, Client not found in Kerberos database
The culprit appears to be the -E option, as when I run kinit without
it, authentication works fine.
It's possible there's some other configuration difference between work
and home that I'm not seeing. Unless you can think of anything, I guess
I need to finally get around to setting up new IdM servers on RHEL 9...
:)
--
Sam Morris <
https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9