Bug 2095228

Summary: sssd_krb5 2.7.1 crashes "PAC check failed"
Product: [Fedora] Fedora Reporter: seanmottles
Component: sssdAssignee: sssd-maintainers <sssd-maintainers>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 36CC: abokovoy, atikhono, ipedrosa, jhrozek, lslebodn, luk.claes, mzidek, pbrezina, sbose, ssorce, sssd-maintainers
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-09 10:54:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sssd krb5 log file none

Description seanmottles 2022-06-09 10:47:29 UTC 
Created attachment 1888304 [details]
sssd krb5 log file

Description of problem:
Attempting to authenticate via password on Fedora 36 host connected to FreeIPA with sssd 2.7.1-1 fails. ID lookups still function as normal.


Version-Release number of selected component (if applicable):
sssd-2.7.1-1.fc36

How reproducible:
Every attempt.

Steps to Reproduce:
1. Connect host to FreeIPA
2. Attempt to auth FreeIPA user via password
3.

Actual results:
"System Error" in /var/log/secure, and "PAC check failed for principal" in /var/log/sssd/krb5_child.log


Expected results:
Password auth is functional

Additional info:
Downgrading sssd to 2.7.0 resolves the issue and users can login as normal.
Comment 1 Iker Pedrosa 2022-06-09 10:54:24 UTC 
As a work-around set

    pac_check = check_upn, check_upn_dns_info_ex

in the [pac] section of sssd.conf.

*** This bug has been marked as a duplicate of bug 2094685 ***