Back to bug 2060421
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Red Hat Bugzilla | 2022-03-03 13:57:09 UTC | Pool ID | sst_idm_ipa_rhel_9 | |
| Red Hat One Jira (issues.redhat.com) | 2022-03-03 14:02:39 UTC | Link ID | Red Hat Issue Tracker FREEIPA-7926 | |
| Red Hat One Jira (issues.redhat.com) | 2022-03-03 14:02:42 UTC | Link ID | Red Hat Issue Tracker RHELPLAN-114373 | |
| Julien Rische | 2022-03-21 10:50:02 UTC | Status | NEW | ASSIGNED |
| RHEL Program Management | 2022-04-21 13:15:13 UTC | Keywords | Triaged | |
| Filip Dvorak | 2022-05-09 09:48:26 UTC | QA Contact | ipa-qe | fdvorak |
| Filip Dvorak | 2022-05-11 07:25:13 UTC | Depends On | 2027125 | |
| Julien Rische | 2022-05-23 14:53:49 UTC | Depends On | 2016312 | |
| Julien Rische | 2022-06-03 09:42:00 UTC | Summary | FAST processing over cross-realm fails against Active Directory in FIPS mode | FAST processing over cross-realm fails against Active Directory |
| Julien Rische | 2022-09-06 08:43:12 UTC | Depends On | 2124463 | |
| Julien Rische | 2022-09-23 15:56:00 UTC | Link ID | Github krb5/krb5/pull/1268 | |
| Julien Rische | 2022-09-23 16:19:03 UTC | Summary | FAST processing over cross-realm fails against Active Directory | Invalid KDC signature encryption type for PAC |
| Julien Rische | 2022-09-23 16:52:35 UTC | Doc Text | Introduction of support for the AES SHA-2 HMAC encryption type family in IPA has caused the Kerberos ticket's PAC (Privilege Attribute Certificate Data Structure) to be signed with encryption types that are not supported by Active Directory. As a consequence, IPA to AD cross-realm requests (i.e. in a two-way trust setup) are failing with the following generic error: "Generic error (see e-text) while getting credentials for <service principal>" | |
| Doc Type | If docs needed, set a value | Known Issue | ||
| Gabi Fialová | 2022-09-26 07:19:32 UTC | Docs Contact | fhanzelk | |
| CC | gfialova | |||
| Gabi Fialová | 2022-09-26 07:19:58 UTC | Flags | needinfo?(fhanzelk) | |
| CC | fhanzelk | |||
| Lenka Špačková | 2022-09-27 11:01:15 UTC | CC | lmcgarry | |
| Docs Contact | fhanzelk | lmcgarry | ||
| Doc Text | Introduction of support for the AES SHA-2 HMAC encryption type family in IPA has caused the Kerberos ticket's PAC (Privilege Attribute Certificate Data Structure) to be signed with encryption types that are not supported by Active Directory. As a | .Invalid KDC signature encryption type for PAC Kerberos ticket's PAC (Privilege Attribute Certificate Data Structure) is now being signed with encryption types that are not supported by Active Directory due to the addition of support for the AES SHA-2 | ||
| Doc Text | consequence, IPA to AD cross-realm requests (i.e. in a two-way trust setup) are failing with the following generic error: "Generic error (see e-text) while getting credentials for <service principal>" | HMAC encryption in IdM. As a consequence, IdM to AD cross-realm requests, that is, two-way trust setups, are failing with the following error: + ---- "Generic error (see e-text) while getting credentials for <service principal>" ---- | ||
| Flags | needinfo?(fdvorak) | |||
| Doc Text | .Invalid KDC signature encryption type for PAC Kerberos ticket's PAC (Privilege Attribute Certificate Data Structure) is now being signed with encryption types that are not supported by Active Directory due to the addition of support for the AES SHA-2 HMAC encryption in IdM. As a consequence, IdM to AD cross-realm requests, that is, two-way trust setups, are failing with the following error: + ---- "Generic error (see e-text) while getting credentials for <service principal>" ---- | .Invalid KDC signature encryption type for PAC Kerberos ticket's PAC (Privilege Attribute Certificate Data Structure) is now being signed with encryption types that are not supported by Active Directory due to the addition of support for the AES SHA-2 HMAC encryption in IdM. As a consequence, IdM to AD cross-realm requests, that is, two-way trust setups, are failing with the following error: ---- "Generic error (see e-text) while getting credentials for <service principal>" ---- |
||
| Lenka Špačková | 2022-09-27 11:01:45 UTC | Flags | needinfo?(fhanzelk) | |
| Red Hat One Jira (issues.redhat.com) | 2022-09-30 13:05:07 UTC | Doc Text | .Invalid KDC signature encryption type for PAC Kerberos ticket's PAC (Privilege Attribute Certificate Data Structure) is now being signed with encryption types that are not supported by Active Directory due to the addition of support for the AES SHA-2 | .Invalid KDC signature encryption type for PAC Kerberos ticket's PAC (Privilege Attribute Certificate Data Structure) is now being signed with encryption types that are not supported by Active Directory due to the addition of support for the AES SHA-2 |
| Doc Text | HMAC encryption in IdM. As a consequence, IdM to AD cross-realm requests, that is, two-way trust setups, are failing with the following error: ---- "Generic error (see e-text) while getting credentials for <service principal>" ---- | HMAC encryption in IdM. As a consequence, IdM to AD cross-realm TGS requests, that is, two-way trust setups, are failing with the following error: ---- "Generic error (see e-text) while getting credentials for <service principal>" ---- | ||
| Link ID | Red Hat Issue Tracker RHELPLAN-114373 | |||
| Filip Dvorak | 2022-10-03 07:44:53 UTC | Flags | needinfo?(fdvorak) | |
| Red Hat One Jira (issues.redhat.com) | 2022-10-03 08:29:42 UTC | Link ID | Red Hat Issue Tracker RHELPLAN-114373 | |
| Gabi Fialová | 2022-10-03 15:53:06 UTC | Doc Text | .Invalid KDC signature encryption type for PAC Kerberos ticket's PAC (Privilege Attribute Certificate Data Structure) is now being signed with encryption types that are not supported by Active Directory due to the addition of support for the AES SHA-2 | .IdM to AD cross-realm TGS requests fail The Privilege Attribute Certificate (PAC) information in IdM Kerberos tickets is now signed with AES SHA-2 HMAC encryption, which is not supported by Active Directory (AD). Consequently |
| Doc Text | HMAC encryption in IdM. As a consequence, IdM to AD cross-realm TGS requests, that is, two-way trust setups, are failing with the following error: ---- "Generic error (see e-text) while getting credentials for <service principal>" ---- | , IdM to AD cross-realm TGS requests, that is, two-way trust setups, are failing with the following error: ---- "Generic error (see e-text) while getting credentials for <service principal>" ---- | ||
| CC | gfialova | |||
| Red Hat Bugzilla | 2022-11-05 04:17:48 UTC | CC | dpal | |
| Julien Rische | 2023-02-10 19:03:36 UTC | Summary | Invalid KDC signature encryption type for PAC | Invalid KDC signature encryption type for PAC [rhel-9] |
| Lenka Špačková | 2023-03-13 14:22:16 UTC | Doc Text | .IdM to AD cross-realm TGS requests fail The Privilege Attribute Certificate (PAC) information in IdM Kerberos tickets is now signed with AES SHA-2 HMAC encryption, which is not supported by Active Directory (AD). Consequently, IdM to AD cross-realm TGS requests, that is, two-way trust setups, are failing with the following error: ---- "Generic error (see e-text) while getting credentials for <service principal>" ---- | .IdM to AD cross-realm TGS requests fail The Privilege Attribute Certificate (PAC) information in IdM Kerberos tickets is now signed with AES SHA-2 HMAC encryption, which is not supported by Active Directory (AD). Consequently, IdM to AD cross-realm TGS requests, that is, two-way trust setups, are failing with the following error: ---- Generic error (see e-text) while getting credentials for <service principal> ---- |
| Andrea Perotti | 2023-05-19 10:27:15 UTC | CC | aperotti | |
| Julien Rische | 2023-05-24 09:27:32 UTC | Blocks | 2209621 | |
| Filip Dvorak | 2023-05-30 13:10:46 UTC | QA Contact | fdvorak | mpolovka |
| Red Hat Bugzilla | 2023-05-31 23:36:55 UTC | CC | fdvorak | |
| Sudhir Menon | 2023-07-06 11:18:43 UTC | CC | sumenon | |
| Sudhir Menon | 2023-07-06 11:19:43 UTC | Status | ASSIGNED | NEW |
| Deadline | 2023-06-05 | |||
| Julien Rische | 2023-07-11 07:57:28 UTC | Status | NEW | ASSIGNED |
| Julien Rische | 2023-08-02 14:41:35 UTC | Link ID | Gitlab redhat/centos-stream/rpms/krb5/-/merge_requests/40 | |
| Julien Rische | 2023-08-09 13:45:45 UTC | Fixed In Version | krb5-1.21.1-1.el9 | |
| Status | ASSIGNED | MODIFIED | ||
| errata-xmlrpc | 2023-08-16 12:58:34 UTC | Status | MODIFIED | ON_QA |
| Ganna Kaihorodova | 2023-08-17 09:36:35 UTC | CC | gkaihoro | |
| Assignee | jrische | gkaihoro | ||
| Ganna Kaihorodova | 2023-08-17 09:48:08 UTC | Status | ON_QA | VERIFIED |
| Ganna Kaihorodova | 2023-08-17 09:49:16 UTC | QA Contact | mpolovka | gkaihoro |
| Assignee | gkaihoro | jrische |
Back to bug 2060421