IPA command fails when kerberos ticket generated with non-forwardable option

Solution Verified - Updated -

Issue

  • IPA command fails when kerberos ticket generated with non-forwardable option
  • IPA commands failing with error
$ kinit -F admin
Password for admin@EXAMPLE.TEST:

$ klist -f
Ticket cache: KCM:0
Default principal: admin@EXAMPLE.TEST

Valid starting       Expires              Service principal
06/28/2023 20:31:04  06/29/2023 20:28:10  krbtgt/EXAMPLE.TEST@EXAMPLE.TEST
    Flags: IA

$ ipa ping
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credential cache is empty)

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • IPA 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content