Installing sssd 2.7.1-1 causes IPA/krb5 authentication to fail with messages such as the following in /var/log/sssd/sssd_DOMAIN.log (2022-06-07 18:31:36): [be[DOMAIN]] [krb5_auth_done] (0x3f7c0): [RID#10] The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information (2022-06-07 18:32:59): [be[DOMAIN]] [krb5_auth_send] (0x0020): [RID#14] Illegal empty authtok for user [USER@DOMAIN] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: [...] * (2022-06-07 18:32:59): [be[DOMAIN]] [krb5_auth_queue_send] (0x1000): [RID#14] Wait queue of user [USER@DOMAIN] is empty, running request [0x560b4c6ac820] immediately. * (2022-06-07 18:32:59): [be[DOMAIN]] [krb5_auth_send] (0x0020): [RID#14] Illegal empty authtok for user [USER@DOMAIN] ********************** BACKTRACE DUMP ENDS HERE ********************************* while in /var/log/sssd/krb5_child.log: (2022-06-07 18:31:36): [krb5_child[2481391]] [sss_extract_pac] (0x0040): [RID#10] No PAC authdata available. ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: [...] * (2022-06-07 18:31:36): [krb5_child[2481391]] [validate_tgt] (0x2000): [RID#10] Found keytab entry with the realm of the credential. * (2022-06-07 18:31:36): [krb5_child[2481391]] [validate_tgt] (0x0400): [RID#10] TGT verified using key for [PRINCIPAL@DOMAIN]. * (2022-06-07 18:31:36): [krb5_child[2481391]] [sss_extract_pac] (0x0040): [RID#10] No PAC authdata available. ********************** BACKTRACE DUMP ENDS HERE ********************************* (2022-06-07 18:31:36): [krb5_child[2481391]] [validate_tgt] (0x0020): [RID#10] PAC check failed for principal [USER@DOMAIN]. (2022-06-07 18:31:36): [krb5_child[2481391]] [get_and_save_tgt] (0x0020): [RID#10] 2045: [1432158308][Unknown code UUz 100] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-06-07 18:31:36): [krb5_child[2481391]] [validate_tgt] (0x0020): [RID#10] PAC check failed for principal [USER@DOMAIN]. * (2022-06-07 18:31:36): [krb5_child[2481391]] [get_and_save_tgt] (0x0020): [RID#10] 2045: [1432158308][Unknown code UUz 100] ********************** BACKTRACE DUMP ENDS HERE ********************************* (2022-06-07 18:31:36): [krb5_child[2481391]] [map_krb5_error] (0x0020): [RID#10] [1432158308][PAC check failed]. (2022-06-08 8:06:08): [krb5_child[2498572]] [sss_extract_pac] (0x0040): [RID#93] No PAC authdata available. ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: [...] Reverting to sssd 2.6.3-3 immediately reestablishes authentication.
Michael Stone kirjoitti 8.6.2022 klo 15.44: Did you have 2.7.0 at some point?
2.7.0-1 was installed 2022-05-27 2.7.0-1+b1 was installed 2022-05-29 no issues with either of those; I reverted to 2.6.3 just because it was easier to grab from the mirrors.
Michael Stone kirjoitti 8.6.2022 klo 18.52: I guess it should be filed upstream then, if it's a regression in 2.7.1 which was supposed to be a bugfix release. https://github.com/SSSD/sssd/issues
Timo Aaltonen kirjoitti 9.6.2022 klo 9.51: actually, this should fix it: https://github.com/SSSD/sssd/pull/6204
We believe that the bug you reported is fixed in the latest version of
sssd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1012502@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen <tjaalton@debian.org> (supplier of updated sssd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 09 Jun 2022 10:19:37 +0300
Source: sssd
Built-For-Profiles: noudeb
Architecture: source
Version: 2.7.1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian SSSD Team <pkg-sssd-devel@alioth-lists.debian.net>
Changed-By: Timo Aaltonen <tjaalton@debian.org>
Closes: 1012502
Changes:
sssd (2.7.1-2) unstable; urgency=medium
.
* pac-relax-default-for-pac_check-option.diff: Drop pac_present from
default PAC check. (Closes: #1012502)
Checksums-Sha1:
aaa801be26f9b0b1ea25538bada1eb5bc1a44f52 5070 sssd_2.7.1-2.dsc
222c4f5114b98404bc779bd78a98395e30be4e36 40024 sssd_2.7.1-2.debian.tar.xz
3a7f7380078e4e13d36a6199aae6bb02d789a2a9 9618 sssd_2.7.1-2_source.buildinfo
Checksums-Sha256:
4ac7b2fecfdb6fae14a69fb119c9b75fd2ea54926496518340f20f277f11987a 5070 sssd_2.7.1-2.dsc
60b1b297ba3642e467459a6ae7f722228c854105b3368d24db50115119c25160 40024 sssd_2.7.1-2.debian.tar.xz
4bbb42118c1fbf97f73820063cb59be5ef61a6b7f20b5cb1de3f8aa20f781b4e 9618 sssd_2.7.1-2_source.buildinfo
Files:
4ef79c89402c4fd74b14de0d5aae4c86 5070 utils optional sssd_2.7.1-2.dsc
e44374fb1f0ad058485bfde3d479eca8 40024 utils optional sssd_2.7.1-2.debian.tar.xz
dd27afbd42044dd625d83fb3f844b4ad 9618 utils optional sssd_2.7.1-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmKhnxIACgkQy3AxZaiJ
hNxwcw/+JhDoGdk9EVAoDpm+bOiN4zMniG/kwoXOMN6+rd/ZjWY911xn83LAWfB1
PuZ1pGdnr6jM460aj98rgBQRcINKYuedlCwceaz4BdVa3U2DMvJDc/iFBS0zKMFg
dTjsaKACenu+0ucEMUF3z0f7Da24368P/5ULUpdjLPGWu1YNu/8VidI+P1oTTdP1
DE5o4BA0NgAW7JUNgyPfoWJg0e8o+4cEyc1WdM2nIA1/y+4voszVa9oUkF8u7Y+I
PMZmmY6RD9YwCkqrilIm3OwaQzqGgung8pISllOnbsnsUJfGuqgxMzuiN8FJ0U0m
EBA0lvVKTVF0pP+0kBrNGCRpRW7SwpYPmmxQXDEM+Y3GBpc69XdhGYrTQGTLRxde
XJueemy9Q8X85vNXebFwbcPNGUSOkPiltAdAaBKrcevq0rLhYqcBsYpbfnUbZaYr
utWPHUcZi8sUCex80DpmRRnxY/O6hiU/71KyuOZwIQqNE4hBmmKZ2KBhnes0x9It
osG8tWaTt5bQ37XGIQY4x6SyM7RnFnqmI7dNxAb0rlnksEkczTlXRuVycpaDU4VI
w0T67Z6INRx2K/dEjL5KnFYN26t277USTc+59wN4UxumVVufcv4QZ//sRvv7/+kJ
blvLg279HhYQ2G2g9VScum/Zt9lbHAZ3bNJS9WXraEHgv8Zf7d0=
=XACq
-----END PGP SIGNATURE-----
this seems to be working