RHEL-8.9 IdM update, web UI and CLI 401 Unauthorized with KDC S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC - user and group objects need SIDs

Solution Verified - Updated -

Issue

After updating to RHEL-8.9 with IPA packages from 4.9.12-9 to 4.9.12-11+( no errors ), a Kerberos kinit works correctly, but any ipa command line of WebUI access is denied, with an HTTP error 401:

/var/log/httpd/error_log
...ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)

An ipa user-show command may fail like this, ending with a 401 Unauthorized error:

# ipa -d user-show
...
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in single_request response.msg)
xmlrpc.client.ProtocolError: ... 401 Unauthorized>

The RHEL IdM KDC log was showing a trace similar to this example:

/var/log/krb5kdc.log
...(info): TGS_REQ ...: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: ..., KDC policy rejects request

Environment

RHEL-8.9
ipa-server-4.9.12-11.module+el8.9.0+20824+f2605038.x86_64 or later
krb5-server-1.18.2-26.el8_9.x86_64

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content