I have some additional logs for your, that might help debugging this problem:
I replaced the line in the ctxfas pam module through this one: auth sufficient pam_krb5.so try_pkinit preauth_opt=X509_user_identity=PKCS11:/usr/lib/x86_64-linux- gnu/libctxpkcs11.so debug trace=/var/log/ctxfas.log The output of the log file after a failed login on Ubuntu 24.04 is: [7795] 1740732388.618448: Getting initial credentials for USER [7795] 1740732388.618450: Sending unauthenticated request [7795] 1740732388.618451: Sending request (196 bytes) to DOMAIN [7795] 1740732388.618452: Initiating TCP connection to stream IP:88 [7795] 1740732388.618453: Sending TCP request to stream IP:88 [7795] 1740732388.618454: Received answer (205 bytes) from stream IP:88 [7795] 1740732388.618455: Terminating TCP connection to stream IP:88 [7795] 1740732388.618456: Response was from primary KDC [7795] 1740732388.618457: Received error from KDC: -1765328359/Additional pre-authentication required [7795] 1740732388.618460: Preauthenticating using KDC method data [7795] 1740732388.618461: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) [7795] 1740732388.618462: Selected etype info: etype aes256-cts, salt "DOMAINManuel.Hiller", params "" [7795] 1740732388.618463: PKINIT loading identity PKCS11:/usr/lib/x86_64-linux-gnu/libctxpkcs11.so [7795] 1740732388.618464: PKINIT opening PKCS#11 module "/usr/lib/x86_64-linux-gnu/libctxpkcs11.so" [7795] 1740732388.618465: PKINIT PKCS#11 slotid 0 token Citrix FAS [7795] 1740732388.618466: PKINIT opening PKCS#11 module "/usr/lib/x86_64-linux-gnu/libctxpkcs11.so" [7795] 1740732388.618467: PKINIT PKCS#11 slotid 0 token Citrix FAS [7795] 1740732388.618468: PKINIT client matching rule '||<EKU>msScLogin,<KU>digitalSignature' against certificates [7795] 1740732388.618469: PKINIT client found 1 SANs (0 princs, 1 UPNs, 0 DNS names) in certificate /DC=loc/DC=company/DC=epm/OU=_Benutzer/OU=MUL/OU=ITP/CN=Hiller, Manuel [7795] 1740732388.618470: PKINIT client checked 1 certs, found 1 matches [7795] 1740732388.618471: PKINIT loading CA certs and CRLs from DIR /etc/ssl/certs/ [7795] 1740732388.618472: PKINIT client computed kdc-req-body checksum 14/913BEAE90B2569F099E085622F85A515DA337700 [7795] 1740732388.618474: PKINIT client making DH request [7795] 1740732388.618475: PKINIT chain cert #0: /DC=loc/DC=company/DC=epm/OU=_Benutzer/OU=MUL/OU=ITP/CN=Hiller, Manuel [7795] 1740732388.618476: PKINIT chain cert #1: /DC=loc/DC=company/CN=company-CA-CLIENTS [7795] 1740732388.618477: Preauth module pkinit (16) (real) returned: 0/Success [7795] 1740732388.618478: Produced preauth for next request: PA-PK-AS-REQ (16) [7795] 1740732388.618479: Sending request (41446 bytes) to DOMAIN [7795] 1740732388.618480: Initiating TCP connection to stream IP:88 [7795] 1740732388.618481: Sending TCP request to stream IP:88 [7795] 1740732388.618482: Received answer (104 bytes) from stream IP:88 [7795] 1740732388.618483: Terminating TCP connection to stream IP:88 [7795] 1740732388.618484: Response was from primary KDC [7795] 1740732388.618485: Received error from KDC: -1765328343/Message stream modified The output of a successful login on Ubuntu 22.04 is: [120738] 1740732461.312660: Getting initial credentials for USER [120738] 1740732461.312662: Sending unauthenticated request [120738] 1740732461.312663: Sending request (215 bytes) to DOMAIN [120738] 1740732461.312664: Initiating TCP connection to stream IP:88 [120738] 1740732461.312665: Sending TCP request to stream IP:88 [120738] 1740732461.312666: Received answer (205 bytes) from stream IP:88 [120738] 1740732461.312667: Terminating TCP connection to stream IP:88 [120738] 1740732461.312668: Response was from primary KDC [120738] 1740732461.312669: Received error from KDC: -1765328359/Additional pre-authentication required [120738] 1740732461.312672: Preauthenticating using KDC method data [120738] 1740732461.312673: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) [120738] 1740732461.312674: Selected etype info: etype aes256-cts, salt "DOMAINManuel.Hiller", params "" [120738] 1740732461.312675: PKINIT loading CA certs and CRLs from DIR [120738] 1740732461.312676: PKINIT client computed kdc-req-body checksum 9/EE043B01E1F294B2199115CC5838F17C05799FD6 [120738] 1740732461.312678: PKINIT client making DH request [120738] 1740732461.312679: Preauth module pkinit (16) (real) returned: 0/Success [120738] 1740732461.312680: Produced preauth for next request: PA-PK-AS-REQ (16) [120738] 1740732461.312681: Sending request (41445 bytes) to DOMAIN [120738] 1740732461.312682: Initiating TCP connection to stream IP:88 [120738] 1740732461.312683: Sending TCP request to stream IP:88 [120738] 1740732461.312684: Received answer (6480 bytes) from stream IP:88 [120738] 1740732461.312685: Terminating TCP connection to stream IP:88 [120738] 1740732461.312686: Response was from primary KDC [120738] 1740732461.312687: Processing preauth types: PA-PK-AS-REP (17) [120738] 1740732461.312688: PKINIT client verified DH reply [120738] 1740732461.312689: PKINIT client config accepts KDC dNSName SAN domaincontroller.DOMAIN [120738] 1740732461.312690: PKINIT client config accepts KDC dNSName SAN domaincontroller.DOMAIN [120738] 1740732461.312691: PKINIT client found dNSName SAN in KDC cert: domaincontroller.DOMAIN [120738] 1740732461.312692: PKINIT client found dNSName SAN in KDC cert: DOMAIN [120738] 1740732461.312693: PKINIT client found dNSName SAN in KDC cert: EPM [120738] 1740732461.312694: PKINIT client found dNSName SAN in KDC cert: ldap.DOMAIN [120738] 1740732461.312695: PKINIT client found dNSName SAN in KDC cert: gc.DOMAIN [120738] 1740732461.312696: PKINIT client matched KDC hostname domaincontroller.DOMAIN against dNSName SAN; EKU check still required [120738] 1740732461.312697: PKINIT found acceptable EKU and digitalSignature KU [120738] 1740732461.312698: PKINIT client found acceptable EKU in KDC cert [120738] 1740732461.312699: PKINIT client used octetstring2key to compute reply key aes256-cts/8FB8 [120738] 1740732461.312700: Preauth module pkinit (17) (real) returned: 0/Success [120738] 1740732461.312701: Produced preauth for next request: (empty) [120738] 1740732461.312702: AS key determined by preauth: aes256-cts/8FB8 [120738] 1740732461.312703: Decrypted AS reply; session key is: aes256-cts/D4DE [120738] 1740732461.312704: FAST negotiation: unavailable [120738] 1740732461.312705: Initializing FILE:/tmp/krb5cc_pam_FxEjeA with default princ USER [120738] 1740732461.312706: Storing USER -> krbtgt/DOMAIN@DOMAIN in FILE:/tmp/krb5cc_pam_FxEjeA -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/2098484 Title: Pkinit fails with invalid argument Status in krb5 package in Ubuntu: Incomplete Bug description: Hello, I am trying to setup a new Linux Citrix VDI on Ubuntu 24.04 with FAS (https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current- release/configure/authentication/federated-authentication-service). For this the packages krb5-pkinit and libpam-krb5 are required. Unfortunately the login process fails with the following error message: Preauth module pkinit (16) (real) returned: 22/Invalid argument For the authentication process the following pam module from Citrix is used: #Linux VDA Federated Authentication# #%PAM-1.0 #pam auth auth sufficient pam_krb5.so try_pkinit preauth_opt=X509_user_identity=PKCS11:/usr/lib/x86_64-linux-gnu/libctxpkcs11.so @include common-auth #pam account account sufficient pam_krb5.so @include common-account #pam password password sufficient pam_krb5.so @include common-password #pam session session optional pam_krb5.so @include common-session package versions: krb5-pkinit:amd64 1.20.1-6ubuntu2.4 libpam-krb5:amd64 4.11-1build3 Is it possible, that on of the arguments inside the pam module is not correct? The same process (the servers are setup via Ansible) is working on a 22.04 machine, logically with other package versions. -------------- 1) lsb_release -rd: No LSB modules are available. Description: Ubuntu 24.04.2 LTS Release: 24.04 2) apt-cache policy krb5-pkinit krb5-pkinit: Installed: 1.20.1-6ubuntu2.4 Candidate: 1.20.1-6ubuntu2.4 Thank you! Regards, Manuel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2098484/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
