Package: freeipa-client Version: 4.9.11-1 Severity: normal Dear Maintainer,
on a host enrolled as an IPA client, Kerberos is not usable in Java. The error message is: KrbException: krb5.conf loading failed (please find simple steps to reproduce below) After debugging step by step, I found out that this is due to the fact that the following Kerberos configuration directory /var/lib/sss/pubconf/krb5.include.d/ ends up being included twice and that Java rejects multiple includes of the same directory. This directory is included: - in the configuration file /etc/krb5.conf.d/enable_sssd_conf_dir which is deployed by the installation of the *package* freeipa-client (probably indirectly by one of the sssd packages?) - in the configuration file /etc/krb5.conf which is generated by the ipa-client-install procedure As a workaround, commenting out the includedir line in /etc/krb5.conf.d/enable_sssd_conf_dir (or completely removing this file, since it contains only this line) solves the problem. Please note that: - the issue occurs with Java 17, 11 and 21 (and most likely other available Java versions) - the issue does NOT occur on bullseye with freeipa-client from backports (which we have been using in production for a while) In order to reproduce (on a host enrolled as an IPA client), using the standard Java JAAS Kerberos example: https://docs.oracle.com/en/java/javase/17/security/jaas-authentication.html (just copy JaasAcn.java and jaas.conf in the same directory; no need to compile) $ /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Djava.security.auth.login.config=jaas.conf JaasAcn.java Kerberos username [mbaudier]: Authentication failed: KrbException: krb5.conf loading failed And the workaround: $ sudo mv /etc/krb5.conf.d/enable_sssd_conf_dir /tmp $ /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Djava.security.auth.login.config=jaas.conf JaasAcn.java Kerberos username [mbaudier]: Kerberos password for mbaudier: Authentication succeeded! -- System Information: Debian Release: 12.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.14.0-162.23.1.el9_1.x86_64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages freeipa-client depends on: ii bind9-dnsutils [dnsutils] 1:9.18.13-1 ii bind9-utils 1:9.18.13-1 ii certmonger 0.79.17-2 ii curl 7.88.1-9 ii dnsutils 1:9.18.13-1 ii freeipa-common 4.9.11-1 ii krb5-user 1.20.1-1+b1 ii libc6 2.36-9 ii libcom-err2 1.47.0-2 ii libcurl4 7.88.1-9 ii libini-config5 0.6.2-1 ii libjansson4 2.14-2 ii libk5crypto3 1.20.1-1+b1 ii libkrb5-3 1.20.1-1+b1 ii libldap-2.5-0 2.5.13+dfsg-5 ii libnss-sss 2.8.2-4 ii libnss3-tools 2:3.89-2 ii libpam-sss 2.8.2-4 ii libpopt0 1.19+dfsg-1 ii libsasl2-modules-gssapi-mit 2.1.28+dfsg-11 ii libssl3 3.0.8-1 ii libsss-sudo 2.8.2-4 ii oddjob-mkhomedir 0.34.7-1+b2 ii python3 3.11.2-1+b1 ii python3-dnspython 2.3.0-1 ii python3-gssapi 1.8.2-1+b1 ii python3-ipaclient 4.9.11-1 ii python3-ldap 3.4.3-2+b2 ii python3-sss 2.8.2-4 ii sssd 2.8.2-4 Versions of packages freeipa-client recommends: ii chrony 4.3-2 Versions of packages freeipa-client suggests: pn libpam-krb5 <none> -- no debconf information
