RHEL-8.9 IdM 更新、Web UI 和未使用 KDC S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC 授权的 CLI 401 - 用户和组对象需要 SID
Issue
使用从 4.9.12-9 到 4.9.12-11+(无错误 )的 IPA 更新至 RHEL-8.9 后,Kerberos kinit 可以正常工作,但 WebUI 的任何 ipa 命令行访问都被拒绝,并显示 HTTP 错误 401:
/var/log/httpd/error_log
...ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
ipa user-show 命令可能失败,以 401 Unauthorized 错误结束,如下所示:
# ipa -d user-show
...
File "/usr/lib/python3.6/site-packages/ipalib/rpc.py", line 730, in single_request response.msg)
xmlrpc.client.ProtocolError: ... 401 Unauthorized>
RHEL IdM KDC 日志显示类似以下示例的跟踪:
/var/log/krb5kdc.log
...(info): TGS_REQ ...: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: ..., KDC policy rejects request
Environment
RHEL-8.9ipa-server-4.9.12-11.module+el8.9.0+20824+f2605038.x86_64 或更高版本krb5-server-1.18.2-26.el8_9.x86_64
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
