-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
rhel-8.10
-
None
-
Yes
-
Low
-
rhel-idm-ipa
-
None
-
False
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
x86_64
-
None
After updating ipa-server (and it's related components, including ipa-client, etc.) from 4.9.13-18 to 4.9.13-20 I am getting authentication failures from Identity Management's kerberos. The messages in the KDC log are of the form:
Oct 04 16:47:09 server.example.com krb5kdc[3419612](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) fd31:aeb1:48df:0:12ff:bda9:3582:4de0: PAC_ENFORCEMENT_TGT_WITHOUT_PAC: authtime 1759610504, etypes {rep=UNSUPPORTED:(0)} brian@EXAMPLE.COM for imap/server.example.com@EXAMPLE.COM, No such file or directory
This is now causing all authentication on the network to fail, hence the Critical Priority setting.
This seems it might be related to this ipa-server RPM changelog entry:
* Thu Sep 11 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-19 - Enforce uniqueness across krbprincipalname and krbcanonicalname ipa-kdb: enforce PAC presence on TGT for TGS-REQ ipatests: extend test for unique krbcanonicalname Resolves: RHEL-110061
Unfortunately one cannot simply roll back to the previous ipa-server version as IPA refuses to start once it's data has been upgraded to a newer version. This itself is unfortunate as it prevents rollbacks for critical bugs like this from being viable.
