Bug 970618
Summary: | [RFE] pac-type change must be effective immediately without kdc restart | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Dmitri Pal <dpal> |
Component: | ipa | Assignee: | Martin Kosek <mkosek> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.0 | CC: | mkosek, mnavrati, rmainz, sgoveas |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.0.3-1.el7 | Doc Type: | Bug Fix |
Doc Text: |
The following known issue description has been removed from the RHEL 7.0 Release Notes.
The Identity Manager (IdM) Kerberos driver does not actively update default PAC types for Kerberos tickets issued by IdM Kerberos key distribution center (KDC). Consequently, if the default list of PAC types is changed in the IdM configuration, the IdM Kerberos KDC does not generate the configured PAC types for the issued tickets until the KDC is restarted. To change the default list, run the "ipa config-mod --pac-type <NEW-PAC-TYPES>" command. To work around this problem, restart the IdM Kerberos KDC service on all IdM servers. As a result, IdM Kerberos KDC generates the configured PAC types as set in the IdM server configuration.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-03-05 10:09:24 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1168850 |
Description
Dmitri Pal
2013-06-04 13:11:45 UTC
This is a release note BZ for 7.0. If this feature or issue should be documented in the Release or Technical Notes for RHEL 7.0 Beta, please select the correct Doc Type from the drop-down menu and enter a description in Doc Text. For info about the differences between known issues, driver updates, deprecated functionality, release notes and Technology Previews, see: https://engineering.redhat.com/docs/en-US/Policy/70.ecs/html-single/Describing_Errata_Release_and_Technical_Notes_for_Engineers/index.html#bh-known_issue If you have questions, please email rhel-notes. Filling Known Issue doc text for 7.0 Upstream ticket: https://fedorahosted.org/freeipa/ticket/4153 *** Bug 970620 has been marked as a duplicate of this bug. *** Fixed upstream master: https://fedorahosted.org/freeipa/changeset/8b2f4443dcf61e1edf59ef0812ed05e1fa93f8fc Verified in version [root@vm-idm-019 ~]# rpm -q ipa-server ipa-server-4.1.0-16.el7.x86_64 [root@vm-idm-019 ~]# kdestroy [root@vm-idm-019 ~]# echo Secret123 | kinit admin Password for admin: [root@vm-idm-019 ~]# ipa config-show | grep PAC Default PAC types: nfs:NONE, MS-PAC [root@vm-idm-019 ~]# klist Ticket cache: DIR::/tmp/krb5cc_0.d/tkt Default principal: admin Valid starting Expires Service principal 01/28/2015 02:01:00 01/29/2015 02:01:00 krbtgt/IPAVIEWS.TEST [root@vm-idm-019 ~]# ll /tmp/krb5cc_0.d/tkt -rw-------. 1 root root 1453 Jan 28 02:01 /tmp/krb5cc_0.d/tkt [root@vm-idm-019 ~]# ipa config-mod --pac-type PAD Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: ipaviews.test Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=IPAVIEWS.TEST Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default PAC types: PAD [root@vm-idm-019 ~]# kdestroy [root@vm-idm-019 ~]# sleep 30 [root@vm-idm-019 ~]# echo Secret123 | kinit admin Password for admin: [root@vm-idm-019 ~]# klist Ticket cache: DIR::/tmp/krb5cc_0.d/tkt Default principal: admin Valid starting Expires Service principal 01/28/2015 02:02:30 01/29/2015 02:02:30 krbtgt/IPAVIEWS.TEST [root@vm-idm-019 ~]# ll /tmp/krb5cc_0.d/tkt -rw-------. 1 root root 894 Jan 28 02:02 /tmp/krb5cc_0.d/tkt [root@vm-idm-019 ~]# ipa config-mod --pac-type "nfs:NONE" --pac-type "MS-PAC" Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: ipaviews.test Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=IPAVIEWS.TEST Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default PAC types: nfs:NONE, MS-PAC [root@vm-idm-019 ~]# kdestroy [root@vm-idm-019 ~]# sleep 30 [root@vm-idm-019 ~]# echo Secret123 | kinit admin Password for admin: [root@vm-idm-019 ~]# klist Ticket cache: DIR::/tmp/krb5cc_0.d/tkt Default principal: admin Valid starting Expires Service principal 01/28/2015 02:04:44 01/29/2015 02:04:44 krbtgt/IPAVIEWS.TEST [root@vm-idm-019 ~]# ll /tmp/krb5cc_0.d/tkt -rw-------. 1 root root 1453 Jan 28 02:04 /tmp/krb5cc_0.d/tkt Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html |