[RHEL-10495] Tolerate absence of AD-SIGNEDPATH [rhel-8.10]

Type: Bug
Resolution: Done-Errata
Priority: Critical
Fix Version/s: rhel-8.10
Affects Version/s: rhel-8.8.0
Component/s: ipa
Labels:
- Triaged
- fixed_upstream

Fixed in Build:
krb5-1.18.2-26.el8_9
Regression:
None
Severity:
None
Epic Link:
FREEIPA-10423
Keywords:

ZStream
sprint_count:
7

Pool Team:

rhel-sst-idm-ipa

Dev Target Milestone:
13
Internal Target Milestone:
14
Story Points:
5
ACKs Check:

QE ack, Dev ack
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
2023-Q3-Bravo-S6, 2023-Q4-Bravo-S1, 2023-Q4-Bravo-S2, 2023-Q4-Bravo-S3, 2023-Q4-Bravo-S4, 2023-Q4-Bravo-S5, 2023-Q4-Bravo-S6
Release Blocker:
Approved Blocker

Preliminary Testing:
Pass
Errata Link:
https://errata.devel.redhat.com/advisory/125343
Test Coverage:

Automated

Release Note Type:
Bug Fix
Release Note Text:

Hide
.Kerberos Key Distribution Centers version 1.20 and later now process tickets generated from KDCs running version 1.18.2 and earlier

Previously, a compatibility issue occurred between a Key Distribution Center (KDC) running Kerberos version 1.20 or later and a KDC running version 1.18.2 or earlier. As a consequence, when evidence tickets issued by the KDC running Kerberos 1.20 or later were sent to the KDC running Kerberos 1.18.2 or earlier, the older KDC rejected the ticket granting service request because it lacked support for the `AD-SIGNTICKET` attribute.

With this update, earlier versions of KDC now accept evidence tickets generated by KDCs running Kerberos 1.20 and newer, as they no longer require `AD-SIGNTICKET` when a Privileged Attribute Certificate (PAC) is present.

Show
.Kerberos Key Distribution Centers version 1.20 and later now process tickets generated from KDCs running version 1.18.2 and earlier Previously, a compatibility issue occurred between a Key Distribution Center (KDC) running Kerberos version 1.20 or later and a KDC running version 1.18.2 or earlier. As a consequence, when evidence tickets issued by the KDC running Kerberos 1.20 or later were sent to the KDC running Kerberos 1.18.2 or earlier, the older KDC rejected the ticket granting service request because it lacked support for the `AD-SIGNTICKET` attribute. With this update, earlier versions of KDC now accept evidence tickets generated by KDCs running Kerberos 1.20 and newer, as they no longer require `AD-SIGNTICKET` when a Privileged Attribute Certificate (PAC) is present.
Release Note Status:
Done

Experience:

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Cloned from https://pagure.io/freeipa/issue/9448

***
Upstream mailing list discussion thread: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/FLZYF6YKRRU5DIJ6RCYLJKI6Y2MGRE4B/

If evidence ticket is issued by IPA KDC running krb5 1.20+, IPA KDC running krb5 1.18.2 or earlier will fail the request with a KRB5KDC_ERR_BADOPTION error ("KDC can't fulfill requested option"):

Sep 07 09:24:40 ipa5.ipa.example.com krb5kdc[239017](info): TGS_REQ : handle_authdata (-1765328371) Sep 07 09:24:40 ipa5.ipa.example.com krb5kdc[239017](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26), aes128-cts-hmac-sha1-96(17), aes128-cts-hmac-sha256-128(19), camellia128-cts-cmac(25)}) 192.168.88.5: HANDLE_AUTHDATA: authtime 1694078668, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM for ldap/ipa5.ipa.example.com(a)IPA.EXAMPLE.COM, KDC can't fulfill requested option Sep 07 09:24:40 ipa5.ipa.example.com krb5kdc[239017](info): ... CONSTRAINED-DELEGATION s4u-client=host/xoanon.ipa.example.com(a)IPA.EXAMPLE.COM Sep 07 09:24:40 ipa5.ipa.example.com krb5kdc[239017](info): closing down fd 12

relates to

RHEL-10514 Allow to make AD-SIGNEDPATH optional

Closed

links to

RHBA-2023:125343 idm:client and idm:DL1 bug fix and enhancement update

mentioned on

Merge request - ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older

Merge request - ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older [rhel-8.10]

Michal Polovka made changes - 2024/06/18 12:35 PM

Test Coverage

Original: Yes [ 31555 ]

New: Automated [ 38950 ]

Errata Tool made changes - 2024/05/22 9:40 AM

Resolution		New: Done-Errata [ 10803 ]
Status	Original: Release Pending [ 15735 ]	New: Closed [ 6 ]

Errata Tool added a comment - 2024/05/22 9:40 AM

Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (Moderate: idm:DL1 security update), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:3044

Errata Tool added a comment - 2024/05/22 9:40 AM Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Moderate: idm:DL1 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:3044

Errata Tool made changes - 2024/05/22 9:40 AM

Release Date

New: 2024/05/22

Dominika Borges made changes - 2024/05/17 8:43 AM

Release Note Text

Original: .Kerberos Key Distribution Centers (KDCs) version 1.20 and later now process tickets generated from KDCs running version 1.18.2 and earlier

Previously, a compatibility issue occurred between a Key Distribution Center (KDC) running Kerberos version 1.20 or later and a KDC running version 1.18.2 or earlier. As a consequence, when evidence tickets issued by the KDC running Kerberos 1.20 or later were sent to the KDC running Kerberos 1.18.2 or earlier, the older KDC rejected the ticket granting service request because it lacked support for the `AD-SIGNTICKET` attribute.

With this update, earlier versions of KDC now accept evidence tickets generated by KDCs running Kerberos 1.20 and newer, as they no longer require `AD-SIGNTICKET` when a Privileged Attribute Certificate (PAC) is present.

New: .Kerberos Key Distribution Centers version 1.20 and later now process tickets generated from KDCs running version 1.18.2 and earlier

Previously, a compatibility issue occurred between a Key Distribution Center (KDC) running Kerberos version 1.20 or later and a KDC running version 1.18.2 or earlier. As a consequence, when evidence tickets issued by the KDC running Kerberos 1.20 or later were sent to the KDC running Kerberos 1.18.2 or earlier, the older KDC rejected the ticket granting service request because it lacked support for the `AD-SIGNTICKET` attribute.

With this update, earlier versions of KDC now accept evidence tickets generated by KDCs running Kerberos 1.20 and newer, as they no longer require `AD-SIGNTICKET` when a Privileged Attribute Certificate (PAC) is present.

Raju Anumula made changes - 2024/04/23 9:10 AM

Workflow

Original: Copy 3 of RHEL in Jira [ 25398654 ]

New: RHEL in Jira [ 25426796 ]

Raju Anumula made changes - 2024/04/23 9:01 AM

Workflow

Original: RHEL in Jira [ 24447748 ]

New: Copy 3 of RHEL in Jira [ 25398654 ]

Dominika Borges made changes - 2024/04/08 10:06 AM

Release Note Status

Original: In Progress [ 30960 ]

New: Done [ 30963 ]

Dominika Borges made changes - 2024/04/08 10:06 AM

Release Note Text

Original: .Kerberos Key Distribution Centers (KDCs) version 1.20 and later now process tickets generated from KDCs running version 1.18.2 and earlier

Previously, a compatibility issue occurred between a Key Distribution Center (KDC) running Kerberos version 1.20 or later and a KDC running version 1.18.2 or earlier. As a consequence, when evidence tickets issued by the KDC running Kerberos 1.20 or later were sent to the KDC running Kerberos 1.18.2 or earlier, the older KDC rejected the ticket granting service request because it lacked support for the `AD-SIGNTICKET` attribute.

With this update, the earlier versions of KDC no longer require `AD-SIGNTICKET` if a Privileged Attribute Certificate (PAC) is present. As a result, evidence tickets generated by Kerberos 1.20 and newer KDCs are now successfully processed.

New: .Kerberos Key Distribution Centers (KDCs) version 1.20 and later now process tickets generated from KDCs running version 1.18.2 and earlier

Previously, a compatibility issue occurred between a Key Distribution Center (KDC) running Kerberos version 1.20 or later and a KDC running version 1.18.2 or earlier. As a consequence, when evidence tickets issued by the KDC running Kerberos 1.20 or later were sent to the KDC running Kerberos 1.18.2 or earlier, the older KDC rejected the ticket granting service request because it lacked support for the `AD-SIGNTICKET` attribute.

With this update, earlier versions of KDC now accept evidence tickets generated by KDCs running Kerberos 1.20 and newer, as they no longer require `AD-SIGNTICKET` when a Privileged Attribute Certificate (PAC) is present.

Dominika Borges added a comment - 2024/04/05 12:27 PM

The release notes text is now updated with suggestions from the peer review.

Dominika Borges added a comment - 2024/04/05 12:27 PM The release notes text is now updated with suggestions from the peer review.

Dominika Borges made changes - 2024/04/05 12:25 PM

Release Note Text

Original: .Kerberos Key Distribution Centers (KDCs) 1.20 and later versions now process tickets generated from KDCs running 1.18.2 and earlier versions

A compatibility issue has occurred between Key Distribution Center (KDC) running Kerberos 1.20 or later versions and KDC running 1.18.2 and earlier versions. As a consequence, when evidence tickets issued by KDCs running Kerberos 1.20 and later versions were sent to KDCs running Kerberos 1.18.2 and earlier versions, the older KDC rejected the ticket granting service request due to missing support for `AD-SIGNTICKET` attribute.

With this update, the earlier versions of KDC no longer require `AD-SIGNTICKET` if a Privileged Attribute Certificate (PAC) is present. As a result, evidence tickets generated by Kerberos 1.20 and newer KDCs are now successfully processed.

New: .Kerberos Key Distribution Centers (KDCs) version 1.20 and later now process tickets generated from KDCs running version 1.18.2 and earlier

Previously, a compatibility issue occurred between a Key Distribution Center (KDC) running Kerberos version 1.20 or later and a KDC running version 1.18.2 or earlier. As a consequence, when evidence tickets issued by the KDC running Kerberos 1.20 or later were sent to the KDC running Kerberos 1.18.2 or earlier, the older KDC rejected the ticket granting service request because it lacked support for the `AD-SIGNTICKET` attribute.

With this update, the earlier versions of KDC no longer require `AD-SIGNTICKET` if a Privileged Attribute Certificate (PAC) is present. As a result, evidence tickets generated by Kerberos 1.20 and newer KDCs are now successfully processed.

Dominika Borges added a comment - 2024/04/04 12:29 PM

Hi jrische@redhat.com, thanks for the review. I updated the text and will move to the peer review.
Regarding using the present perfect tense, I believe it reflects that the resolution has occurred in the past and currently the issue is fixed. I'll check this with another writer

Dominika Borges added a comment - 2024/04/04 12:29 PM Hi jrische@redhat.com , thanks for the review. I updated the text and will move to the peer review. Regarding using the present perfect tense, I believe it reflects that the resolution has occurred in the past and currently the issue is fixed. I'll check this with another writer

Dominika Borges made changes - 2024/04/04 12:26 PM

Release Note Text

Original: .Kerberos Key Distribution Centers (KDCs) 1.20 and later versions now process tickets generated from KDCs running 1.18.2 and earlier versions

A compatibility issue has occurred between Key Distribution Center (KDC) running Kerberos 1.20 or later versions and KDC running 1.18.2 and earlier versions. As a consequence, when evidence tickets issued by KDCs running Kerberos 1.20 and later versions were sent to KDCs running Kerberos 1.18.2 and earlier versions, the older KDC failed the ticket granting service request due to missing support for `AD-SIGNTICKET` attribute.

With this update, the earlier versions of KDC no longer require `AD-SIGNTICKET` if a Privileged Attribute Certificate (PAC) is present. As a result, evidence tickets generated by Kerberos 1.20 and newer KDCs are now successfully processed.

New: .Kerberos Key Distribution Centers (KDCs) 1.20 and later versions now process tickets generated from KDCs running 1.18.2 and earlier versions

A compatibility issue has occurred between Key Distribution Center (KDC) running Kerberos 1.20 or later versions and KDC running 1.18.2 and earlier versions. As a consequence, when evidence tickets issued by KDCs running Kerberos 1.20 and later versions were sent to KDCs running Kerberos 1.18.2 and earlier versions, the older KDC rejected the ticket granting service request due to missing support for `AD-SIGNTICKET` attribute.

With this update, the earlier versions of KDC no longer require `AD-SIGNTICKET` if a Privileged Attribute Certificate (PAC) is present. As a result, evidence tickets generated by Kerberos 1.20 and newer KDCs are now successfully processed.

Julien Rische added a comment - 2024/04/03 3:09 PM

Hello Dominika,
Sorry about the delay. I would just make these comments:

"A compatibility issue has occurred between [...]": It sounds like it is a ad hoc thing, while it is actually systematic. Without this update, the failure will occur each time this scenario happen. So I'd rather say "A compatibility issues occurs between [...]"
"the older KDC failed the ticket granting service request": I feel like "to fail the request" is not the best expression here. I would rather say "the older KDC rejects the ticket granting service request". It is not really a bug, it's just that the request is missing some data that are required by the 1.20 KDC by default.

The rest is good as it is.

Julien Rische added a comment - 2024/04/03 3:09 PM Hello Dominika, Sorry about the delay. I would just make these comments: "A compatibility issue has occurred between [...] ": It sounds like it is a ad hoc thing, while it is actually systematic. Without this update, the failure will occur each time this scenario happen. So I'd rather say "A compatibility issues occurs between [...] " "the older KDC failed the ticket granting service request": I feel like "to fail the request" is not the best expression here. I would rather say "the older KDC rejects the ticket granting service request". It is not really a bug, it's just that the request is missing some data that are required by the 1.20 KDC by default. The rest is good as it is.

Dominika Borges added a comment - 2024/03/28 12:48 PM

jrische@redhat.com I added release notes text. Could you please review the text to see if it is accurate?

Dominika Borges added a comment - 2024/03/28 12:48 PM jrische@redhat.com I added release notes text. Could you please review the text to see if it is accurate?

Dominika Borges made changes - 2024/03/28 12:37 PM

Release Note Status		New: In Progress [ 30960 ]
Release Note Text		New: .Kerberos Key Distribution Centers (KDCs) 1.20 and later versions now process tickets generated from KDCs running 1.18.2 and earlier versions A compatibility issue has occurred between Key Distribution Center (KDC) running Kerberos 1.20 or later versions and KDC running 1.18.2 and earlier versions. As a consequence, when evidence tickets issued by KDCs running Kerberos 1.20 and later versions were sent to KDCs running Kerberos 1.18.2 and earlier versions, the older KDC failed the ticket granting service request due to missing support for `AD-SIGNTICKET` attribute. With this update, the earlier versions of KDC no longer require `AD-SIGNTICKET` if a Privileged Attribute Certificate (PAC) is present. As a result, evidence tickets generated by Kerberos 1.20 and newer KDCs are now successfully processed.
Release Note Type	Original: If docs needed, set a value [ 31859 ]	New: Bug Fix [ 30950 ]

Dominika Borges made changes - 2024/03/28 12:36 PM

Doc Contact

New: Dominika Borges [ dvagnero ]

Tomas Capek made changes - 2024/01/18 3:54 PM

Release Note Type

Original: Unspecified Release Note Type - Unknown [ 30957 ]

New: If docs needed, set a value [ 31859 ]

Rui Ormonde made changes - 2024/01/17 12:46 PM

Product Documentation Required		New: Yes [ 36650 ]
Release Note Type		New: Unspecified Release Note Type - Unknown [ 30957 ]

Michal Polovka made changes - 2024/01/17 7:45 AM

Test Coverage

New: Yes [ 31555 ]

David Vozenilek made changes - 2023/12/17 7:19 PM

Link

New: This issue is documented by RHELPLAN-168840 [ RHELPLAN-168840 ]

Michal Polovka made changes - 2023/12/13 12:25 PM

Status

Original: Integration [ 18721 ]

New: Release Pending [ 15735 ]

Michal Polovka made changes - 2023/12/13 12:23 PM

Sprint

Original: 2023-Q3-Bravo-S6, 2023-Q4-Bravo-S1, 2023-Q4-Bravo-S2, 2023-Q4-Bravo-S3, 2023-Q4-Bravo-S4, 2023-Q4-Bravo-S5 [ 54447, 56017, 56018, 56019, 56020, 56022 ]

New: 2023-Q3-Bravo-S6, 2023-Q4-Bravo-S1, 2023-Q4-Bravo-S2, 2023-Q4-Bravo-S3, 2023-Q4-Bravo-S4, 2023-Q4-Bravo-S5, 2023-Q4-Bravo-S6 [ 54447, 56017, 56018, 56019, 56020, 56022, 56023 ]

Errata Tool made changes - 2023/12/11 6:34 PM

Remote Link

New: This issue links to "~~RHBA-2023~~:125343 (Web Link)" [ 1500607 ]

RHEL Jira bot made changes - 2023/12/11 6:34 PM

Status

Original: Release Pending [ 15735 ]

New: Integration [ 18721 ]

Errata Tool made changes - 2023/12/11 6:34 PM

Errata Link

New: https://errata.devel.redhat.com/advisory/125343

Michal Polovka made changes - 2023/12/07 2:01 PM

Status

Original: Integration [ 18721 ]

New: Release Pending [ 15735 ]

Florence Renaud made changes - 2023/12/06 8:49 AM

Epic Link

New: FREEIPA-10423 [ 15535795 ]

Michal Polovka made changes - 2023/11/28 11:26 AM

Sprint

Original: 2023-Q3-Bravo-S6, 2023-Q4-Bravo-S1, 2023-Q4-Bravo-S2, 2023-Q4-Bravo-S3, 2023-Q4-Bravo-S4 [ 54447, 56017, 56018, 56019, 56020 ]

New: 2023-Q3-Bravo-S6, 2023-Q4-Bravo-S1, 2023-Q4-Bravo-S2, 2023-Q4-Bravo-S3, 2023-Q4-Bravo-S4, 2023-Q4-Bravo-S5 [ 54447, 56017, 56018, 56019, 56020, 56022 ]

Rafael Jeffman made changes - 2023/11/22 1:39 PM

Status

Original: In Progress [ 10018 ]

New: Integration [ 18721 ]

Watson Automation made changes - 2023/11/20 12:44 PM

Target end

Original: 2023/11/20

New: 2023/12/04

Watson Automation made changes - 2023/11/20 12:44 PM

Dev Target end

Original: 2023/11/13

New: 2023/11/27

Anuja More made changes - 2023/11/20 12:43 PM

Internal Target Milestone

New: 14 [ 27963 ]

RHEL Jira bot made changes - 2023/11/20 12:43 PM

Internal Target Milestone

Original: 12 [ 27961 ]

Anuja More made changes - 2023/11/20 12:43 PM

Dev Target Milestone

Original: 11 [ 16976 ]

New: 13 [ 16978 ]

Rafael Jeffman made changes - 2023/11/17 2:45 PM

Status

Original: Integration [ 18721 ]

New: In Progress [ 10018 ]

Rafael Jeffman made changes - 2023/11/17 2:44 PM

Status

Original: In Progress [ 10018 ]

New: Integration [ 18721 ]

Julien Rische made changes - 2023/11/16 2:27 PM

Assignee

Original: Julien Rische [ jrische@redhat.com ]

New: Rafael Jeffman [ rjeffman@redhat.com ]

Julien Rische made changes - 2023/11/16 2:27 PM

Developer

New: Julien Rische [ JIRAUSER179310 ]

Michal Polovka made changes - 2023/11/13 1:40 PM

Sprint

Original: 2023-Q3-Bravo-S6, 2023-Q4-Bravo-S1, 2023-Q4-Bravo-S2, 2023-Q4-Bravo-S3 [ 54447, 56017, 56018, 56019 ]

New: 2023-Q3-Bravo-S6, 2023-Q4-Bravo-S1, 2023-Q4-Bravo-S2, 2023-Q4-Bravo-S3, 2023-Q4-Bravo-S4 [ 54447, 56017, 56018, 56019, 56020 ]

Michal Polovka made changes - 2023/10/30 1:36 PM

Sprint

Original: 2023-Q3-Bravo-S6, 2023-Q4-Bravo-S1, 2023-Q4-Bravo-S2 [ 54447, 56017, 56018 ]

New: 2023-Q3-Bravo-S6, 2023-Q4-Bravo-S1, 2023-Q4-Bravo-S2, 2023-Q4-Bravo-S3 [ 54447, 56017, 56018, 56019 ]

Julien Rische made changes - 2023/10/30 9:33 AM

Docs Impact

Original: Unspecified [ 30765 ]

New: RN only [ 30768 ]

Michal Polovka made changes - 2023/10/25 9:00 AM

Preliminary Testing

New: Pass [ 34174 ]

gitlab-bot made changes - 2023/10/24 2:57 PM

Remote Link

New: This issue links to "Merge request - ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older (Web Link)" [ 1447893 ]

gitlab-bot added a comment - 2023/10/24 2:57 PM

Julien Rische mentioned this issue in a merge request of Red Hat / centos-stream / rpms / ipa on branch c8s_adsignedpath:

ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older

gitlab-bot added a comment - 2023/10/24 2:57 PM Julien Rische mentioned this issue in a merge request of Red Hat / centos-stream / rpms / ipa on branch c8s_adsignedpath : ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older

Francisco Trivino Garcia made changes - 2023/10/24 12:09 PM

Sprint

Original: 2023-Q3-Bravo-S6, 2023-Q4-Bravo-S1 [ 54447, 56017 ]

New: 2023-Q3-Bravo-S6, 2023-Q4-Bravo-S1, 2023-Q4-Bravo-S2 [ 54447, 56017, 56018 ]

Rafael Jeffman added a comment - 2023/10/23 2:17 PM

The fix will be inherited from RHEL 8.9 bulid.

Rafael Jeffman added a comment - 2023/10/23 2:17 PM The fix will be inherited from RHEL 8.9 bulid.

Rafael Jeffman made changes - 2023/10/23 2:16 PM

Fixed in Build

New: krb5-1.18.2-26.el8_9

Michal Polovka made changes - 2023/10/20 12:28 PM

ACKs Check

Original: Dev ack [ 31165 ]

New: QE ack,Dev ack [ 31163, 31165 ]

Watson Automation made changes - 2023/10/20 12:26 PM

Target end

Original: 2023/10/30

New: 2023/11/20

Francisco Trivino Garcia made changes - 2023/10/20 12:26 PM

Internal Target Milestone

Original: 9 [ 27958 ]

New: 12 [ 27961 ]

Watson Automation made changes - 2023/10/20 12:25 PM

Dev Target end

New: 2023/11/13

Julien Rische made changes - 2023/10/20 12:25 PM

Dev Target Milestone

New: 11 [ 16976 ]

Watson Automation made changes - 2023/10/20 12:23 PM

Internal Target Milestone

New: 9 [ 27958 ]

Francisco Trivino Garcia made changes - 2023/10/20 12:23 PM

Target end

New: 2023/10/30

Julien Rische made changes - 2023/10/17 12:40 PM

Labels

Original: Triaged

New: Triaged fixed_upstream

Michal Polovka made changes - 2023/10/09 9:47 AM

QA Contact

New: Michal Polovka [ mpolovka ]

Julien Rische made changes - 2023/10/09 9:36 AM

Link

Original: This issue is depended on by FREEIPA-10410 [ FREEIPA-10410 ]

Julien Rische made changes - 2023/10/09 9:08 AM

Summary

Original: Tolerate absence of AD-SIGNEDPATH

New: Tolerate absence of AD-SIGNEDPATH [rhel-8.10]

Watson Automation made changes - 2023/10/09 9:07 AM

Keywords

New: ZStream [ 34163 ]

Watson Automation made changes - 2023/10/09 9:07 AM

Release Blocker

New: Approved Blocker [ 34567 ]

Watson Automation made changes - 2023/10/09 9:07 AM

Link

New: This issue is cloned by RHEL-12198 [ RHEL-12198 ]

RHEL Jira bot made changes - 2023/10/09 9:07 AM

Request Clones

Original: Latest Z-stream [ 33995 ]

Julien Rische made changes - 2023/10/09 9:07 AM

Request Clones

New: Latest Z-stream [ 33995 ]

Julien Rische made changes - 2023/10/09 9:04 AM

Fix Version/s		New: rhel-8.10.0 [ 12407280 ]
Fix Version/s	Original: rhel-8.9.0.z [ 12411656 ]

gitlab-bot made changes - 2023/10/09 9:03 AM

Remote Link

New: This issue links to "Merge request - ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older [rhel-8.10] (Web Link)" [ 1428904 ]

gitlab-bot added a comment - 2023/10/09 9:03 AM

Julien Rische mentioned this issue in a merge request of Red Hat / centos-stream / rpms / ipa on branch rhel_8.10_adsignedpath:

ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older [rhel-8.10]

gitlab-bot added a comment - 2023/10/09 9:03 AM Julien Rische mentioned this issue in a merge request of Red Hat / centos-stream / rpms / ipa on branch rhel_8.10_adsignedpath : ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older [rhel-8.10]

gitlab-bot made changes - 2023/10/04 4:16 PM

Remote Link

New: This issue links to "Merge request - ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older (Web Link)" [ 1424213 ]

gitlab-bot added a comment - 2023/10/04 4:16 PM

Julien Rische mentioned this issue in a merge request of Red Hat / centos-stream / rpms / ipa on branch c8s_adsignedpath:

ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older

gitlab-bot added a comment - 2023/10/04 4:16 PM Julien Rische mentioned this issue in a merge request of Red Hat / centos-stream / rpms / ipa on branch c8s_adsignedpath : ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older

Francisco Trivino Garcia made changes - 2023/10/02 12:39 PM

Story Points

New: 5

Francisco Trivino Garcia made changes - 2023/10/02 12:34 PM

Sprint

Original: 2023-Q3-Bravo-S6 [ 54447 ]

New: 2023-Q3-Bravo-S6, 2023-Q4-Bravo-S1 [ 54447, 56017 ]

Rafael Jeffman made changes - 2023/09/29 1:58 PM

Link

New: This issue is depended on by FREEIPA-10410 [ FREEIPA-10410 ]

Julien Rische made changes - 2023/09/29 8:36 AM

Fix Version/s

Original: rhel-8.9.0 [ 12398178 ]

Julien Rische made changes - 2023/09/29 7:58 AM

Fix Version/s

New: rhel-8.9.0.z [ 12411656 ]

Julien Rische made changes - 2023/09/29 7:58 AM

Fix Version/s

New: rhel-8.9.0 [ 12398178 ]

Julien Rische made changes - 2023/09/28 4:25 PM

Summary

Original: FreeIPA 4.9 KDB rejects FreeIPA 4.10 KDB-issued evidence ticket in S4U processing

New: Tolerate absence of AD-SIGNEDPATH

Julien Rische made changes - 2023/09/28 4:02 PM

Link

New: This issue relates to ~~RHEL-10514~~ [ ~~RHEL-10514~~ ]

Julien Rische made changes - 2023/09/28 3:48 PM

Security

Original: Red Hat Employee [ 11697 ]

RHEL Jira bot made changes - 2023/09/28 3:48 PM

Link

New: This issue is related to ATTACH-5991 [ ATTACH-5991 ]

Julien Rische made changes - 2023/09/28 3:47 PM

Security

New: Red Hat Employee [ 11697 ]

Julien Rische made changes - 2023/09/28 3:46 PM

Component/s		New: ipa [ 12378231 ]
Reset contact to default	Original: Assignee,Qa Contact,Doc Contact,Pool Team,Watchers,Developer [ 32051, 32052, 32053, 32054, 32055, 32850 ]
Affects Version/s		New: rhel-8.8.0 [ 12392170 ]

Julien Rische made changes - 2023/09/28 3:45 PM

3scale PT Docs		New: Not Started [ 12953 ]
ACKs Check		New: Dev ack [ 31165 ]
Affects Testing	Original: Testable [ 30850 ]
BZ Doc Text	Original:
BZ Keywords	Original: Unset
Dev Approval	Original: ? [ 17170 ]
Docs Impact		New: Unspecified [ 30765 ]
Hold	Original: False [ 15468 ]
Key	Original: ~~FREEIPA-10393~~	New: ~~RHEL-10495~~
PM Approval	Original: ? [ 17169 ]
QE Approval	Original: ? [ 17171 ]
Reset contact to default		New: Assignee,Qa Contact,Doc Contact,Pool Team,Watchers,Developer [ 32051, 32052, 32053, 32054, 32055, 32850 ]
Workflow	Original: OJA-WF-U [ 24351264 ]	New: RHEL in Jira [ 24447748 ]
Project	Original: FreeIPA [ 12325035 ]	New: RHEL [ 12332745 ]
Status	Original: ASSIGNED [ 14452 ]	New: In Progress [ 10018 ]

Francisco Trivino Garcia made changes - 2023/09/18 12:21 PM

Labels

New: Triaged

Francisco Trivino Garcia made changes - 2023/09/18 12:21 PM

Status

Original: New [ 10016 ]

New: ASSIGNED [ 14452 ]

Francisco Trivino Garcia made changes - 2023/09/18 12:21 PM

Sprint

New: 2023-Q3-Bravo-S6 [ 54447 ]

Francisco Trivino Garcia made changes - 2023/09/18 12:20 PM

Assignee

New: Julien Rische [ jrische@redhat.com ]

Francisco Trivino Garcia made changes - 2023/09/18 11:12 AM

Priority

Original: Undefined [ 10300 ]

New: Critical [ 2 ]

Francisco Trivino Garcia made changes - 2023/09/18 11:12 AM

Team

New: sst_idm_ipa_bravo

Michal Jurasek made changes - 2023/09/18 11:11 AM

Pool Team

New: sst_idm_ipa [ 17378 ]

Francisco Trivino Garcia created issue - 2023/09/18 11:11 AM

Assignee:: Rafael Jeffman

Reporter:: Francisco Trivino Garcia

Developer:: Julien Rische

QA Contact:: Michal Polovka

Doc Contact:: Dominika Borges

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Created:: 2023/09/18 11:11 AM

Updated:: 2024/06/18 12:35 PM

Resolved:: 2024/05/22 9:40 AM

Dev Target end:: 2023/11/27

Target end:: 2023/12/04

Release Date:: 2024/05/22

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Errata Tool added a comment - 2024/05/22 9:40 AM

Expand comment: Errata Tool added a comment - 2024/05/22 9:40 AM

Collapse comment: Dominika Borges added a comment - 2024/04/05 12:27 PM

Expand comment: Dominika Borges added a comment - 2024/04/05 12:27 PM

Collapse comment: Dominika Borges added a comment - 2024/04/04 12:29 PM

Expand comment: Dominika Borges added a comment - 2024/04/04 12:29 PM

Collapse comment: Julien Rische added a comment - 2024/04/03 3:09 PM

Expand comment: Julien Rische added a comment - 2024/04/03 3:09 PM

Collapse comment: Dominika Borges added a comment - 2024/03/28 12:48 PM

Expand comment: Dominika Borges added a comment - 2024/03/28 12:48 PM

Collapse comment: gitlab-bot added a comment - 2023/10/24 2:57 PM

Expand comment: gitlab-bot added a comment - 2023/10/24 2:57 PM

Collapse comment: Rafael Jeffman added a comment - 2023/10/23 2:17 PM

Expand comment: Rafael Jeffman added a comment - 2023/10/23 2:17 PM

Collapse comment: gitlab-bot added a comment - 2023/10/09 9:03 AM

Expand comment: gitlab-bot added a comment - 2023/10/09 9:03 AM

Collapse comment: gitlab-bot added a comment - 2023/10/04 4:16 PM

Expand comment: gitlab-bot added a comment - 2023/10/04 4:16 PM

People

Dates