Am Wed, Jun 08, 2022 at 01:40:22AM -0400 schrieb Ranbir via FreeIPA-users:
> On Thu, 2022-06-02 at 13:33 +0200, Pavel Březina via FreeIPA-users
> wrote:
> > # SSSD 2.7.1
> >
> >
> > ### Configuration changes
> >
> > * New option `implicit_pac_responder` to control if the PAC responder
> > is
> > started for the IPA and AD providers, default is `true`.
> > * New option `krb5_check_pac` to control the PAC validation behavior.
> > * multiple `crl_file` arguments can be used in the
> > `certificate_verification` option.
>
> I updated my Fedora 36 desktop a few minutes ago, which installed the
> new sssd and related packages. I rebooted since a new kernel was also
> installed. When I tried to login to GNOME, I got an error.
>
> I used a local account to get in and to check my freeipa user account.
> The pwd worked fine on my other machines and on the web UI. I poked
> around somemore and found this in krb5_child.log:
>
> (2022-06-08 0:43:37): [krb5_child[9120]] [validate_tgt] (0x0020):
> [RID#196] PAC check failed for principal [[email protected]].
> (2022-06-08 0:43:37): [krb5_child[9120]] [get_and_save_tgt] (0x0020):
> [RID#196] 2045: [1432158308][Unknown code UUz 100]
> ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
> BACKTRACE:
> * (2022-06-08 0:43:37): [krb5_child[9120]] [validate_tgt]
> (0x0020): [RID#196] PAC check failed for principal [[email protected]].
> * (2022-06-08 0:43:37): [krb5_child[9120]] [get_and_save_tgt]
> (0x0020): [RID#196] 2045: [1432158308][Unknown code UUz 100]
> ********************** BACKTRACE DUMP ENDS HERE
> *********************************
Hi,
I'm sorry, it looks like the default for the new 'pac_check' option is
too strict. Please try to set
pac_check = check_upn, check_upn_dns_info_ex
in the [pac] section of sssd.conf and then try to update again. I have
opened https://bugzilla.redhat.com/show_bug.cgi?id=2094685 to fix this.
bye,
Sumit
>
> There's more before that.
>
>
> I also saw this in sssd's journal (it's in reverse):
>
> Jun 08 00:29:21 host.domain.tld krb5_child[2270952]: Preauthentication
> failed
> Jun 08 00:29:21 host.domain.tld krb5_child[2270952]: Preauthentication
> failed
> Jun 08 00:29:07 host.domain.tld krb5_child[2270889]: Preauthentication
> failed
> Jun 08 00:29:07 host.domain.tld krb5_child[2270889]: Preauthentication
> failed
> Jun 08 00:29:01 host.domain.tld krb5_child[2270848]: Unknown code UUz
> 100
> Jun 08 00:28:52 host.domain.tld krb5_child[2270818]: Unknown code UUz
> 100
> Jun 08 00:28:45 host.domain.tld krb5_child[2270782]: Unknown code UUz
> 100
> Jun 08 00:15:15 host.domain.tld sssd_be[2249888]: GSSAPI client step 2
> Jun 08 00:15:15 host.domain.tld sssd_be[2249888]: GSSAPI client step 1
> Jun 08 00:15:15 host.domain.tld systemd[1]: Started sssd.service -
> System Security Services Daemon.
>
> No amount of reboots or sssd restarts fixed the problem, so I
> downgraded all of the sssd related packages. After that was done, I was
> able to login again.
>
> Do I have a misconfiguration or is it a bug?
>
> --
> Ranbir
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
