Translated message

A translation of this page exists in English.

如何解决用户无法进行 IPA/IDM 身份验证，有 PAC 问题 - S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC 错误

Solution In Progress - Updated 2024-03-26T19:06:18+00:00 -

Issue

升级到 RHEL 8.9 或 RHEL 9.3 后，大多数 IPA 用户都无法登录到 WebUI 或 kinit，并显示类似如下的错误

 GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)

因此，ipa 命令都会失败

# ipa -d user-show
...
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in single_request response.msg)
xmlrpc.client.ProtocolError: ... 401 Unauthorized>

在 IPA 的 krb5kdc.log 中，可以看到 staple 错误

S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC

Environment

RHEL 8.9, ipa-server-4.9.12-11 +
RHEL 9.3, ipa-server-4.10.2-5 +

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Select Your Language

Translated message

如何解决用户无法进行 IPA/IDM 身份验证，有 PAC 问题 - S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC 错误

Issue

Environment

Subscriber exclusive content

Current Customers and Partners

New to Red Hat?

Using a Red Hat product through a public cloud?

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Translated message

Issue

Environment

Subscriber exclusive content

Current Customers and Partners

New to Red Hat?

Using a Red Hat product through a public cloud?

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links