Bug 1609872
Summary: | Authentication to UI with client cert fails after password reset | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Rob Crittenden <rcritten> |
Component: | doc-Linux_Domain_Identity_Management_Guide | Assignee: | Marc Muehlfeld <mmuehlfe> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | ipa-qe <ipa-qe> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.4 | CC: | pvoborni, rcritten, rhel-docs, tscherf |
Target Milestone: | rc | Keywords: | Documentation, EasyFix |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-04-09 10:32:40 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Rob Crittenden
2018-07-30 17:08:31 UTC
Creating a doc bug out of an issue reported upstream. The jist is: From a Kerberos perspective, what's happening here is that the principal has the +needchange flag set. The historical meaning of this flag is that the principal will be locked out of authenticating to all services except kadmin/changepw, which allows it to change its password. Kerberos sort of expects that either users will use a password (e.g., with encrypted timestamp or SPAKE) or they will use a certificate (pkinit). We're therefore disinclined to change this behavior since we don't expect users to encounter it, and the necessity for change of password is considered "high priority". Windows Integration Guide, Linux Domain Identity, Authentication, and Policy Guide und System-Level Authentication Guide sind live The update is now available on the Customer Portal. |