since DC move (Fedora migration to rdu3) and new ipsilon instance rolled-out next to new Fedora IPA servers, we can auth through id.centos.org but transparent gssapi/kerberos auth doesn't work. Spent some time on this last Friday but need to work again to verify things and details so creating ticket for awareness and status update in this ticket
Metadata Update from @arrfab: - Issue assigned to arrfab
Metadata Update from @arrfab: - Issue tagged with: authentication, centos-common-infra, dc-move, high-gain, high-trouble
identified missing Service Principal alias for id.centos.org (public hostname) versus real fqdn that is enrolled in IPA. Added new SP alias on top of existing one (so that's working on real name but also alias) and dowloaded new keytab. Working after that (from laptop with valid ticket, and so externally) :
Valid starting Expires Service principal 14/07/25 07:09:41 15/07/25 07:09:18 krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG renew until 15/07/25 07:11:30 14/07/25 11:22:22 15/07/25 07:09:18 HTTP/id.centos.org@ renew until 15/07/25 07:11:30 Ticket server: HTTP/id.centos.org@FEDORAPROJECT.ORG
Metadata Update from @arrfab: - Issue close_status updated to: Fixed with Explanation - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.