Translated message

A translation of this page exists in English.

如何解决因为 PAC 问题 - S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC error 导致用户无法通过 IPA/IDM 进行身份验证的问题

Solution In Progress - Updated 2025-07-01T06:19:27+00:00 -

Issue

在升级到 RHEL 8.9 或 RHEL 9.3 后，大多数 IPA 用户都无法登录到 WebUI 或 kinit，并显示错误

 GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)

因此，任何 ipa 命令都会失败并带有

# ipa -d user-show
...
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in single_request response.msg)
xmlrpc.client.ProtocolError: ... 401 Unauthorized>

在 IPA 的krb5kdc.log 中，我们可以看到 staple 错误

S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC

Environment

RHEL 8.9, ipa-server-4.9.12-11 +
RHEL 9.3, ipa-server-4.10.2-5 +

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Select Your Language

Translated message

如何解决因为 PAC 问题 - S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC error 导致用户无法通过 IPA/IDM 进行身份验证的问题

Issue

Environment

Subscriber exclusive content

Current Customers and Partners

New to Red Hat?

Using a Red Hat product through a public cloud?

Quick Links

Help

Site Info

Related Sites

About

Red Hat legal and privacy links

Red Hat legal and privacy links

Translated message

Issue

Environment

Subscriber exclusive content

Current Customers and Partners

New to Red Hat?

Using a Red Hat product through a public cloud?

Quick Links

Help

Site Info

Related Sites

Systems Status

About

Red Hat legal and privacy links

Red Hat legal and privacy links