Created attachment 1888388 [details] krb5_child.log of attempt to login using password auth I recently upgraded a fedora 35 system to fedora 36. After the upgrade, using any type of password auth against the freeipa server no longer works (ssh, su, sudo), only local user logins or ssh public key login. The problem seems to have to do with the new sssd package. I can see an error message in dmesg: [ 743.242553] sssd_be[848]: segfault at 18 ip 00007f9bd8b5559c sp 00007ffd21604bc0 error 4 in libc.so.6[7f9bd8aeb000+173000] I also enabled debug logging in sssd.conf and got error messages in /var/log/sssd/krb5_child.log excerpt (see attachment for full log of login attempt): [...] (2022-06-09 14:51:22): [krb5_child[1808]] [validate_tgt] (0x0400): [RID#18] TGT verified using key for [host/zeus.net.ida]. (2022-06-09 14:51:22): [krb5_child[1808]] [sss_child_krb5_trace_cb] (0x4000): [RID#18] [1808] 1654779082.856019: Retrieving thomasb -> host/zeus.net.ida from MEMORY:rd_req2 with result: 0/Success (2022-06-09 14:51:22): [krb5_child[1808]] [sss_extract_pac] (0x0040): [RID#18] No PAC authdata available. (2022-06-09 14:51:22): [krb5_child[1808]] [validate_tgt] (0x0020): [RID#18] PAC check failed for principal [thomasb]. (2022-06-09 14:51:22): [krb5_child[1808]] [sss_child_krb5_trace_cb] (0x4000): [RID#18] [1808] 1654779082.856020: Destroying ccache MEMORY:rd_req2 (2022-06-09 14:51:22): [krb5_child[1808]] [get_and_save_tgt] (0x0020): [RID#18] 2045: [1432158308][Unknown code UUz 100] (2022-06-09 14:51:22): [krb5_child[1808]] [map_krb5_error] (0x0020): [RID#18] [1432158308][PAC check failed]. (2022-06-09 14:51:22): [krb5_child[1808]] [k5c_send_data] (0x0200): [RID#18] Received error code 1432158308 (2022-06-09 14:51:22): [krb5_child[1808]] [pack_response_packet] (0x2000): [RID#18] response packet size: [20] (2022-06-09 14:51:22): [krb5_child[1808]] [k5c_send_data] (0x4000): [RID#18] Response sent. (2022-06-09 14:51:22): [krb5_child[1808]] [main] (0x0400): [RID#18] krb5_child completed successfully I had to rollback the system to before the update for now but am willing to attempt again if additional data is needed.
As a work-around set pac_check = check_upn, check_upn_dns_info_ex in the [pac] section of sssd.conf. *** This bug has been marked as a duplicate of bug 2094685 ***