[Freeipa-users] Re: Authentication failures on a RHEL 9.2 IPA server

Sun, 14 May 2023 02:53:56 -0700 

On Fri, May 12, 2023 at 06:19:44PM +0100, Sam Morris via FreeIPA-users wrote:
> I wonder about the root cause; is this because MIT Kerberos 1.20 always
> wants to include a PAC in its issued TGTs, and it gives up if it can't
> retrieve a user's SID from the directory? (If so I wonder if setting
> disable_pac = true in the realm section of krb5.conf would have worked
> around the problem?)

This seems to be the case. Specifically I:

 1. Removed the ipantsecurityidentifier attribute from a user, and
    removed ipantuserattrs from the user's objectclass
 2. Tried to log in as the user & got the same failures + 'No such file
    or directory' message in /var/log/krb5kdc.log
 3. Edited /var/kerberos/krb5kdc/kdc.conf, adding 'disable_pac = true'
    within the realm-specific configuration in the realms section
 4. Restarted krb5kdc
 5. Tried to log in as the user and it worked!

The docs for disable_pac say:

    If true, the KDC will not issue PACs for this realm, and S4U2Self
    and S4U2Proxy operations will be disabled.  The default is false,
    which will permit the KDC to issue PACs.  New in release 1.20.

... which doesn't explain that if the KDC can't issue a PAC for some
reason then the KDC will fail to issue the TGT. But at least I've gotten
to the bottom of things now. :)

> "After upgrading, krb5kdc may fail to issue TGTs to users who have not
> had a SID assigned to their accounts ('ipa user-show user --all' will
> not include an ipantsecurityidentifier attribute). In this case
> krb5kdc.log will log a message "HANDLE_AUTHDATA: [email protected] for
> krbtgt/[email protected], No such file or directory". This can be
> fixed by running 'ipa config-mod --enable-sid --add-sids' as an IPA
> admin on another IPA server."

... "or on the same server after temporarily setting "disable_pac =
true" in kdc.conf, and restarting krb5kdc."

-- 
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to