Global change in pac type requires kdc restart to be effective. Such change must be effective immediately without kdc restart
* When default pac-type is MS-PAC to start with [root@gondola ~]# kinit admin Password for admin@TESTRELM.COM: [root@gondola ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@TESTRELM.COM Valid starting Expires Service principal 05/14/13 00:49:11 05/15/13 00:49:08 krbtgt/TESTRELM.COM@TESTRELM.COM [root@gondola ~]# ll /tmp/krb5cc_0 -rw-------. 1 root root 1267 May 14 00:49 /tmp/krb5cc_0 * Change PAC type to PAD [root@gondola ~]# ipa config-mod --pac-type PAD Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: PAD [root@gondola ~]# kinit admin Password for admin@TESTRELM.COM: [root@gondola ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@TESTRELM.COM Valid starting Expires Service principal 05/14/13 00:51:47 05/15/13 00:51:44 krbtgt/TESTRELM.COM@TESTRELM.COM [root@gondola ~]# ll /tmp/krb5cc_0 -rw-------. 1 root root 1267 May 14 00:51 /tmp/krb5cc_0 # Size is same as when pac type was MS-PAC * Restarted ipa [root@gondola ~]# ipactl restart Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting ipa_memcached Service Restarting httpd Service Restarting pki-tomcatd Service Restarting smb Service Restarting winbind Service ipa: INFO: The ipactl command was successful [root@gondola ~]# ll /tmp/krb5cc_0 -rw-------. 1 root root 1267 May 14 00:53 /tmp/krb5cc_0 [root@gondola ~]# kdestroy [root@gondola ~]# kinit admin Password for admin@TESTRELM.COM: [root@gondola ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@TESTRELM.COM Valid starting Expires Service principal 05/14/13 00:54:04 05/15/13 00:54:01 krbtgt/TESTRELM.COM@TESTRELM.COM [root@gondola ~]# ll /tmp/krb5cc_0 -rw-------. 1 root root 707 May 14 00:54 /tmp/krb5cc_0 # Size is much less * Changed back to MS-PAC [root@gondola ~]# ipa config-mod --pac-type MS-PAC Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC [root@gondola ~]# kdestroy [root@gondola ~]# kinit admin Password for admin@TESTRELM.COM: [root@gondola ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@TESTRELM.COM Valid starting Expires Service principal 05/14/13 00:55:24 05/15/13 00:55:21 krbtgt/TESTRELM.COM@TESTRELM.COM [root@gondola ~]# ll /tmp/krb5cc_0 -rw-------. 1 root root 707 May 14 00:55 /tmp/krb5cc_0 # no change in size [root@gondola ~]# kvno host/gondola.testrelm.com@TESTRELM.COM host/gondola.testrelm.com@TESTRELM.COM: kvno = 2 [root@gondola ~]# ll /tmp/krb5cc_0 -rw-------. 1 root root 1221 May 14 00:56 /tmp/krb5cc_0 [root@gondola ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@TESTRELM.COM Valid starting Expires Service principal 05/14/13 00:55:24 05/15/13 00:55:21 krbtgt/TESTRELM.COM@TESTRELM.COM 05/14/13 00:56:09 05/15/13 00:55:21 host/gondola.testrelm.com@TESTRELM.COM * Restarted krb5kdc service [root@gondola ~]# service krb5kdc restart Redirecting to /bin/systemctl restart krb5kdc.service [root@gondola ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@TESTRELM.COM Valid starting Expires Service principal 05/14/13 00:55:24 05/15/13 00:55:21 krbtgt/TESTRELM.COM@TESTRELM.COM 05/14/13 00:56:09 05/15/13 00:55:21 host/gondola.testrelm.com@TESTRELM.COM [root@gondola ~]# kdestroy [root@gondola ~]# kinit admin Password for admin@TESTRELM.COM: [root@gondola ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@TESTRELM.COM Valid starting Expires Service principal 05/14/13 00:57:24 05/15/13 00:57:21 krbtgt/TESTRELM.COM@TESTRELM.COM [root@gondola ~]# ll /tmp/krb5cc_0 -rw-------. 1 root root 1267 May 14 00:57 /tmp/krb5cc_0
Rename "trusts" component to "Trusts" to achieve correct sorting.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=970618
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=970620
Closing as duplicate to #4153.
Metadata Update from @steeve: - Issue assigned to someone - Issue set to the milestone: Future Releases
Login to comment on this ticket.