Description of problem: There is unfortunately something seriously broken in Kerberos part in sssd 2.7.1. We get the following in the auth log: > jun 09 08:43:48 samuel krb5_child[259734]: Unknown code UUz 100 > jun 09 08:43:48 samuel gdm-password][259724]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=samuel > jun 09 08:43:48 samuel gdm-password][259724]: pam_sss(gdm-password:auth): received for user samuel: 4 (System error) In sssd's log: > (2022-06-09 8:43:48): [be[cendio.se]] [krb5_auth_done] (0x3f7c0): [RID#331] The krb5_child process returned an error. Please inspect the krb5_child.log file or the journal for more information And in the krb5 child log: > (2022-06-09 8:43:57): [krb5_child[259752]] [sss_extract_pac] (0x0040): [RID#333] No PAC authdata available. > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: > * (2022-06-09 8:43:57): [krb5_child[259752]] [main] (0x0400): [RID#333] krb5_child started. > * (2022-06-09 8:43:57): [krb5_child[259752]] [unpack_buffer] (0x1000): [RID#333] total buffer size: [109] > * (2022-06-09 8:43:57): [krb5_child[259752]] [unpack_buffer] (0x0100): [RID#333] cmd [241 (auth)] uid [4036] gid [21031] validate [true] enterprise principal [false] offline [false] UPN [samuel] > * (2022-06-09 8:43:57): [krb5_child[259752]] [unpack_buffer] (0x0100): [RID#333] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab] > * (2022-06-09 8:43:57): [krb5_child[259752]] [switch_creds] (0x0200): [RID#333] Switch user to [4036][21031]. > * (2022-06-09 8:43:57): [krb5_child[259752]] [switch_creds] (0x0200): [RID#333] Switch user to [0][0]. > * (2022-06-09 8:43:57): [krb5_child[259752]] [k5c_check_old_ccache] (0x4000): [RID#333] Ccache_file is [KCM:] and is active and TGT is valid. > * (2022-06-09 8:43:57): [krb5_child[259752]] [k5c_setup_fast] (0x0100): [RID#333] Fast principal is set to [host/samuel.lkpg.cendio.se] > * (2022-06-09 8:43:57): [krb5_child[259752]] [find_principal_in_keytab] (0x4000): [RID#333] Trying to find principal host/samuel.lkpg.cendio.se in keytab. > * (2022-06-09 8:43:57): [krb5_child[259752]] [match_principal] (0x1000): [RID#333] Principal matched to the sample (host/samuel.lkpg.cendio.se). > * (2022-06-09 8:43:57): [krb5_child[259752]] [check_fast_ccache] (0x0200): [RID#333] FAST TGT is still valid. > * (2022-06-09 8:43:57): [krb5_child[259752]] [become_user] (0x0200): [RID#333] Trying to become user [4036][21031]. > * (2022-06-09 8:43:57): [krb5_child[259752]] [main] (0x2000): [RID#333] Running as [4036][21031]. > * (2022-06-09 8:43:57): [krb5_child[259752]] [set_lifetime_options] (0x0100): [RID#333] No specific renewable lifetime requested. > * (2022-06-09 8:43:57): [krb5_child[259752]] [set_lifetime_options] (0x0100): [RID#333] No specific lifetime requested. > * (2022-06-09 8:43:57): [krb5_child[259752]] [set_canonicalize_option] (0x0100): [RID#333] Canonicalization is set to [true] > * (2022-06-09 8:43:57): [krb5_child[259752]] [main] (0x0400): [RID#333] Will perform auth > * (2022-06-09 8:43:57): [krb5_child[259752]] [main] (0x0400): [RID#333] Will perform online auth > * (2022-06-09 8:43:57): [krb5_child[259752]] [tgt_req_child] (0x1000): [RID#333] Attempting to get a TGT > * (2022-06-09 8:43:57): [krb5_child[259752]] [get_and_save_tgt] (0x0400): [RID#333] Attempting kinit for realm [CENDIO.SE] > * (2022-06-09 8:43:57): [krb5_child[259752]] [sss_krb5_responder] (0x4000): [RID#333] Got question [password]. > * (2022-06-09 8:43:57): [krb5_child[259752]] [validate_tgt] (0x2000): [RID#333] Found keytab entry with the realm of the credential. > * (2022-06-09 8:43:57): [krb5_child[259752]] [validate_tgt] (0x0400): [RID#333] TGT verified using key for [host/samuel.lkpg.cendio.se]. > * (2022-06-09 8:43:57): [krb5_child[259752]] [sss_extract_pac] (0x0040): [RID#333] No PAC authdata available. > ********************** BACKTRACE DUMP ENDS HERE ********************************* > > (2022-06-09 8:43:57): [krb5_child[259752]] [validate_tgt] (0x0020): [RID#333] PAC check failed for principal [samuel]. > (2022-06-09 8:43:57): [krb5_child[259752]] [get_and_save_tgt] (0x0020): [RID#333] 2045: [1432158308][Unknown code UUz 100] > ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: > * (2022-06-09 8:43:57): [krb5_child[259752]] [validate_tgt] (0x0020): [RID#333] PAC check failed for principal [samuel]. > * (2022-06-09 8:43:57): [krb5_child[259752]] [get_and_save_tgt] (0x0020): [RID#333] 2045: [1432158308][Unknown code UUz 100] > ********************** BACKTRACE DUMP ENDS HERE ********************************* > > (2022-06-09 8:43:57): [krb5_child[259752]] [map_krb5_error] (0x0020): [RID#333] [1432158308][PAC check failed]. Version-Release number of selected component (if applicable): sssd-2.7.1-1.fc36.x86_64 How reproducible: 100% Steps to Reproduce: 1. Upgrade sssd 2. Try to log in Actual results: Login fails Expected results: Login succeeds Additional info: Also reported to debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012502 Which also references this upstream PR: https://github.com/SSSD/sssd/pull/6204
As a work-around set pac_check = check_upn, check_upn_dns_info_ex in the [pac] section of sssd.conf. *** This bug has been marked as a duplicate of bug 2094685 ***