** Description changed: - The trend for krb ccaches is to not use/set a KRB5CCNAME on login. + [Impact] - Ubuntu 22.04 is unable to perform authentication using the pam_sss_gss - when a valid ccache is setup with credentials. + If you don't set KRB5CCNAME for the current user on login, pam_sss_gss fails to + authenticate: - networkuser@u2204host:~$ klist + $ unset KRB5CCNAME + + $ klist Ticket cache: FILE:/run/user/1234567890/krb5cc Default principal: NETWORKUSER@REALM - [valid creds listed here] - networkuser@u2204host:~$ sudo -i + $ sudo -i pam_sss_gss: sss_cli_getenv() call failed [2]: No such file or directory pam_sss_gss: User not found Please insert smart card Please (re)insert (different) Smartcard Please (re)insert (different) Smartcard sudo: a password is required - This is fixed in sssd upstream in sss_cli_getenv(). It appears that the - sssd package is missing the following simple patch. + A workaround is to set KRB5CCNAME before you call pam_sss_gss. - https://github.com/SSSD/sssd/commit/9aad30711a5928f0e8a3627305b6449291de507f + [Testcase] - This should be a simple fix. I'm able to test PPA packages. + You need a full AD Domain Controller set up, that uses kerberos and ldap. + From there, join the domain on the client. - This is blocking for multi-factor-authentication enforcement deployment - and critical to all orgs that need MFA deployed on all U22.04 systems. + Setup pam_sss_gss: - I'm not flagging this as a security vulnerability, but it does track as - MFA enforcement can't be enabled until this is resolved and considered a - vulnerability by NIST policy. + $ sudo vim /etc/sssd/sssd.conf + ... + [domain/example.com] + ... + pam_gssapi_services = sudo, sudo-i - ProblemType: Bug - DistroRelease: Ubuntu 22.04 - Package: sssd 2.6.3-1ubuntu3.4 - ProcVersionSignature: Ubuntu 5.15.0-134.145-generic 5.15.173 - Uname: Linux 5.15.0-134-generic x86_64 - NonfreeKernelModules: yfs - ApportVersion: 2.20.11-0ubuntu82.6 - Architecture: amd64 - CasperMD5CheckResult: pass - CloudArchitecture: x86_64 - CloudID: none - CloudName: none - CloudPlatform: none - CloudSubPlatform: config - Date: Wed Mar 19 09:35:14 2025 - InstallationDate: Installed on 2023-11-20 (484 days ago) - InstallationMedia: Ubuntu-Server 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230810) - ProcEnviron: - TERM=xterm-256color - PATH=(custom, no user) - LANG=en_US.UTF-8 - SHELL=/bin/bash - SourcePackage: sssd - UpgradeStatus: No upgrade log present (probably fresh install) + auth sufficient pam_sss_gss.so needs to be the first line in the + following: + + $ sudo vim /etc/pam.d/sudo + auth sufficient pam_sss_gss.so + ... + @include common-auth + ... + $ sudo vim /etc/pam.d/sudo-i + auth sufficient pam_sss_gss.so + ... + @include common-auth + ... + + Reboot, log back in. + + You can either configure to not set KRB5CCNAME on login, or just unset + it: + + $ kinit ubuntu/ad...@example.com + $ klist + Ticket cache: FILE:/tmp/krb5cc_1000 + Default principal: ubuntu/ad...@example.com + Valid starting Expires Service principal + 03/20/25 22:49:12 03/21/25 08:49:12 krbtgt/example....@example.com + renew until 03/21/25 22:49:09 + + $ unset KRB5CCNAME + $ sudo -i + pam_sss_gss: sss_cli_getenv() call failed [2]: No such file or directory + pam_sss_gss: User not found + Please insert smart card + Please (re)insert (different) Smartcard + Please (re)insert (different) Smartcard + sudo: a password is required + + Test packages are available in the following ppa: + + https://launchpad.net/~mruffell/+archive/ubuntu/sf408269-test + + If you install them, you should be able to authenticate as expected. + + [Where problems can occur] + + This change only affects users of the pam_sss_gss module. If users are not using + this module, there is no change in functionality. + + If a regression were to occur, it would affect users trying to authenticate with + pam_sss_gss. Users might be able to workaround and use a different method / pam + module to authenticate if there was a regression. + + [Other info] + + Upstream issue: https://github.com/SSSD/sssd/issues/6180 + + This was fixed in 2.8.0 by the commit: + + commit 9aad30711a5928f0e8a3627305b6449291de507f + From: Pavel Březina <pbrez...@redhat.com> + Date: Mon, 23 May 2022 11:05:01 +0200 + Subject: pam_sss_gss: KRB5CCNAME may be NULL + Link: https://github.com/SSSD/sssd/commit/9aad30711a5928f0e8a3627305b6449291de507f + + Only jammy needs this patch.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2103623 Title: pam_sss_gss fails to work when KRB5CCNAME is not set To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2103623/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
