Cloned from: https://pagure.io/freeipa/issue/9465
Since commit 3e20a96c3091f9216cd2bcb1c5853593ed5de88c (FreeIPA 4.9.0, ~2020) (issue https://pagure.io/freeipa/issue/8319) we allow issuing tickets with MS-PAC to Kerberos services. This, in turn, requires presence of `krbCanonicalName` attribute to force canonicalization.
Services created before commit e6ff83e3610d553f6ff98e3adbfbe3c6984b2f17 (FreeIPA 4.4.0, ~2016) had no normalization to set `krbCanonicalName`; services created after that version was upgraded to do have `krbCanonicalName`.
This bug only affects 'old' services: if they miss `krbCanonicalName`, a TGT cannot be issued for them. If this service is `HTTP/...` on IPA master, then users cannot connect to IPA services using IPA API (including provisioning on new hosts).
This will be seen as
```
# ipa ping
ipa: ERROR: No valid Negotiate header in server response
```
Kerberos KDC log will tell:
```
Oct 13 14:38:10 master.ipa.test krb5kdc[2743](info): AS_REQ : handle_authdata (2)
Oct 13 14:38:10 master.ipa.test krb5kdc[2743](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 192.168.7.1: HANDLE_AUTHDATA: HTTP/master.ipa.test@IPA.TEST for krbtgt/IPA.TEST@IPA.TEST, No such file or directory
```
The `No such file or directory` comes from `else` part below from the code of `ipadb_fill_info3()`
```
if (is_host) {
ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
if (ret) {
/* fqdn is mandatory for hosts */
return ret;
}
} else if (is_service) {
ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"krbCanonicalName", &strres);
if (ret) {
/* krbCanonicalName is mandatory for services */
return ret;
}
```
Bug
Normal
RHSA-2023:121880
ipa bug fix and enhancement update
