On Wed, 2022-06-08 at 09:57 +0200, Sumit Bose via FreeIPA-users wrote: > I'm sorry, it looks like the default for the new 'pac_check' option > is > too strict. Please try to set > > pac_check = check_upn, check_upn_dns_info_ex > > in the [pac] section of sssd.conf and then try to update again.
I added the workaround, upgraded the sssd packages again, restarted sssd, locked my screen and successfully logged in. Looks like the workaround is working. Here's what got dumped into krb5_child.log: (2022-06-08 14:29:22): [krb5_child[65262]] [get_and_save_tgt] (0x0020): [RID#426] 1971: [-1765328360][Preauthentication failed] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-06-08 14:29:22): [krb5_child[65262]] [main] (0x0400): [RID#426] krb5_child started. * (2022-06-08 14:29:22): [krb5_child[65262]] [unpack_buffer] (0x1000): [RID#426] total buffer size: [167] * (2022-06-08 14:29:22): [krb5_child[65262]] [unpack_buffer] (0x0100): [RID#426] cmd [241 (auth)] uid [0123456789] gid [0123456789] validate [true] enterprise principal [false] offline [false] UPN [[email protected]] * (2022-06-08 14:29:22): [krb5_child[65262]] [unpack_buffer] (0x0100): [RID#426] ccname: [KEYRING:persistent:0123456789] old_ccname: [KEYRING:persistent:0123456789] keytab: [/etc/krb5.keytab] * (2022-06-08 14:29:22): [krb5_child[65262]] [switch_creds] (0x0200): [RID#426] Switch user to [0123456789][0123456789]. * (2022-06-08 14:29:22): [krb5_child[65262]] [switch_creds] (0x0200): [RID#426] Switch user to [0][0]. * (2022-06-08 14:29:22): [krb5_child[65262]] [k5c_check_old_ccache] (0x4000): [RID#426] Ccache_file is [KEYRING:persistent:0123456789] and is active and TGT is valid. * (2022-06-08 14:29:22): [krb5_child[65262]] [k5c_setup_fast] (0x0100): [RID#426] Fast principal is set to [host/[email protected]] * (2022-06-08 14:29:22): [krb5_child[65262]] [find_principal_in_keytab] (0x4000): [RID#426] Trying to find principal host/[email protected] in keytab. * (2022-06-08 14:29:22): [krb5_child[65262]] [match_principal] (0x1000): [RID#426] Principal matched to the sample (host/[email protected]). * (2022-06-08 14:29:22): [krb5_child[65262]] [check_fast_ccache] (0x0200): [RID#426] FAST TGT is still valid. * (2022-06-08 14:29:22): [krb5_child[65262]] [become_user] (0x0200): [RID#426] Trying to become user [0123456789][0123456789]. * (2022-06-08 14:29:22): [krb5_child[65262]] [main] (0x2000): [RID#426] Running as [0123456789][0123456789]. * (2022-06-08 14:29:22): [krb5_child[65262]] [set_lifetime_options] (0x0100): [RID#426] No specific renewable lifetime requested. * (2022-06-08 14:29:22): [krb5_child[65262]] [set_lifetime_options] (0x0100): [RID#426] No specific lifetime requested. * (2022-06-08 14:29:22): [krb5_child[65262]] [set_canonicalize_option] (0x0100): [RID#426] Canonicalization is set to [true] * (2022-06-08 14:29:22): [krb5_child[65262]] [main] (0x0400): [RID#426] Will perform auth * (2022-06-08 14:29:22): [krb5_child[65262]] [main] (0x0400): [RID#426] Will perform online auth * (2022-06-08 14:29:22): [krb5_child[65262]] [tgt_req_child] (0x1000): [RID#426] Attempting to get a TGT * (2022-06-08 14:29:22): [krb5_child[65262]] [get_and_save_tgt] (0x0400): [RID#426] Attempting kinit for realm [DOMAIN.TLD] * (2022-06-08 14:29:22): [krb5_child[65262]] [sss_krb5_responder] (0x4000): [RID#426] Got question [password]. * (2022-06-08 14:29:22): [krb5_child[65262]] [get_and_save_tgt] (0x0020): [RID#426] 1971: [-1765328360][Preauthentication failed] ********************** BACKTRACE DUMP ENDS HERE ********************************* (2022-06-08 14:29:22): [krb5_child[65262]] [map_krb5_error] (0x0020): [RID#426] 2100: [-1765328360][Preauthentication failed] (2022-06-08 14:46:42): [krb5_child[70022]] [sss_extract_pac] (0x0040): [RID#8] No PAC authdata available. ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-06-08 14:46:42): [krb5_child[70022]] [main] (0x0400): [RID#8] krb5_child started. * (2022-06-08 14:46:42): [krb5_child[70022]] [unpack_buffer] (0x1000): [RID#8] total buffer size: [167] * (2022-06-08 14:46:42): [krb5_child[70022]] [unpack_buffer] (0x0100): [RID#8] cmd [241 (auth)] uid [0123456789] gid [0123456789] validate [true] enterprise principal [false] offline [false] UPN [[email protected]] * (2022-06-08 14:46:42): [krb5_child[70022]] [unpack_buffer] (0x0100): [RID#8] ccname: [KEYRING:persistent:0123456789] old_ccname: [KEYRING:persistent:0123456789] keytab: [/etc/krb5.keytab] * (2022-06-08 14:46:42): [krb5_child[70022]] [switch_creds] (0x0200): [RID#8] Switch user to [0123456789][0123456789]. * (2022-06-08 14:46:42): [krb5_child[70022]] [switch_creds] (0x0200): [RID#8] Switch user to [0][0]. * (2022-06-08 14:46:42): [krb5_child[70022]] [k5c_check_old_ccache] (0x4000): [RID#8] Ccache_file is [KEYRING:persistent:0123456789] and is active and TGT is valid. * (2022-06-08 14:46:42): [krb5_child[70022]] [k5c_setup_fast] (0x0100): [RID#8] Fast principal is set to [host/[email protected]] * (2022-06-08 14:46:42): [krb5_child[70022]] [find_principal_in_keytab] (0x4000): [RID#8] Trying to find principal host/[email protected] in keytab. * (2022-06-08 14:46:42): [krb5_child[70022]] [match_principal] (0x1000): [RID#8] Principal matched to the sample (host/[email protected]). * (2022-06-08 14:46:42): [krb5_child[70022]] [check_fast_ccache] (0x0200): [RID#8] FAST TGT is still valid. * (2022-06-08 14:46:42): [krb5_child[70022]] [become_user] (0x0200): [RID#8] Trying to become user [0123456789][0123456789]. * (2022-06-08 14:46:42): [krb5_child[70022]] [main] (0x2000): [RID#8] Running as [0123456789][0123456789]. * (2022-06-08 14:46:42): [krb5_child[70022]] [set_lifetime_options] (0x0100): [RID#8] No specific renewable lifetime requested. * (2022-06-08 14:46:42): [krb5_child[70022]] [set_lifetime_options] (0x0100): [RID#8] No specific lifetime requested. * (2022-06-08 14:46:42): [krb5_child[70022]] [set_canonicalize_option] (0x0100): [RID#8] Canonicalization is set to [true] * (2022-06-08 14:46:42): [krb5_child[70022]] [main] (0x0400): [RID#8] Will perform auth * (2022-06-08 14:46:42): [krb5_child[70022]] [main] (0x0400): [RID#8] Will perform online auth * (2022-06-08 14:46:42): [krb5_child[70022]] [tgt_req_child] (0x1000): [RID#8] Attempting to get a TGT * (2022-06-08 14:46:42): [krb5_child[70022]] [get_and_save_tgt] (0x0400): [RID#8] Attempting kinit for realm [DOMAIN.TLD] * (2022-06-08 14:46:42): [krb5_child[70022]] [sss_krb5_responder] (0x4000): [RID#8] Got question [password]. * (2022-06-08 14:46:42): [krb5_child[70022]] [sss_krb5_expire_callback_func] (0x2000): [RID#8] exp_time: [6983771] * (2022-06-08 14:46:42): [krb5_child[70022]] [validate_tgt] (0x2000): [RID#8] Found keytab entry with the realm of the credential. * (2022-06-08 14:46:42): [krb5_child[70022]] [validate_tgt] (0x0400): [RID#8] TGT verified using key for [host/[email protected]]. * (2022-06-08 14:46:42): [krb5_child[70022]] [sss_extract_pac] (0x0040): [RID#8] No PAC authdata available. ********************** BACKTRACE DUMP ENDS HERE ********************************* (2022-06-08 14:46:42): [krb5_child[70022]] [validate_tgt] (0x0040): [RID#8] sss_extract_and_send_pac failed, group membership for user with principal [[email protected]] might not be correct. -- Ranbir _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
