Date: Mon, 22 Jul 2024 14:04:00 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 280407] Authentication fails when using pam_krb5.so Message-ID: <bug-280407-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280407 Bug ID: 280407 Summary: Authentication fails when using pam_krb5.so Product: Base System Version: 13.3-RELEASE Hardware: amd64 OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: anderson.soares@embrapa.br Since I've upgraded one of our server from FreeBSD 13.2 to 13.3, our users = are getting authentication errors when they try to use our web proxy service, w= hich authenticate users against pam_krb5 module. Using the pamtester utility and enabling pam_krb5 debug I could confirm that authentication is failing every time pam_krb5 is called. I also noticed the following messages in debug log: Jul 22 10:09:54 vm3 pamtester[27135]: in pam_get_user(): entering Jul 22 10:09:54 vm3 pamtester[27135]: in pam_get_item(): entering: PAM_USER Jul 22 10:09:54 vm3 pamtester[27135]: in pam_get_item(): returning PAM_SUCC= ESS Jul 22 10:09:54 vm3 pamtester[27135]: in pam_get_user(): returning PAM_SUCC= ESS Jul 22 10:09:54 vm3 pamtester[27135]: in pam_sm_authenticate(): Got user: anderson Jul 22 10:09:54 vm3 pamtester[27135]: in pam_get_item(): entering: PAM_RUSER Jul 22 10:09:54 vm3 pamtester[27135]: in pam_get_item(): returning PAM_SUCC= ESS Jul 22 10:09:54 vm3 pamtester[27135]: in pam_sm_authenticate(): Got ruser: (null) Jul 22 10:09:54 vm3 pamtester[27135]: in pam_get_item(): entering: PAM_SERV= ICE Jul 22 10:09:54 vm3 pamtester[27135]: in pam_get_item(): returning PAM_SUCC= ESS Jul 22 10:09:54 vm3 pamtester[27135]: in pam_sm_authenticate(): Got service: squid Jul 22 10:09:54 vm3 pamtester[27135]: in pam_sm_authenticate(): Context initialised Jul 22 10:09:54 vm3 pamtester[27135]: in openpam_get_option(): entering: 'debug' Jul 22 10:09:54 vm3 pamtester[27135]: in openpam_get_option(): returning '' Jul 22 10:09:54 vm3 pam_krb5[27135]: in openpam_get_option(): entering: 'allow_kdc_spoof' Jul 22 10:09:54 vm3 pamtester[27135]: in pam_sm_authenticate(): Done cleanu= p4 Jul 22 10:09:54 vm3 pamtester[27135]: in pam_sm_authenticate(): Done cleanu= p5 Jul 22 10:09:54 vm3 pamtester[27135]: in openpam_get_option(): entering: 'no_warn' Jul 22 10:09:54 vm3 pamtester[27135]: in openpam_get_option(): returning '' Jul 22 10:09:54 vm3 pamtester[27135]: in pam_sm_authenticate(): Done cleanu= p6 Jul 22 10:09:54 vm3 pamtester[27135]: in openpam_dispatch(): /usr/lib/pam_krb5.so.6: pam_sm_authenticate(): Error in service module Jul 22 10:09:54 vm3 pam_krb5[27135]: in openpam_get_option(): returning NULL The problem seems to be related to pam_krb5 since kerberos authentication u= sing the kinit utility works fine. Supposing that the problem could be caused by some error in the service configuration file, I've tried different pam serv= ice configurations but anyone solved the problem. Further tests have showed that even the default system service configuration fails when the pam_krb5 line = is uncommented. This is the pam service file I'm using: auth required pam_krb5.so debug no_warn try_first_pass no_ccache no_user_check account required pam_permit.so session required pam_lastlog.so no_fail password required pam_deny.so As an additional information, I've also tested the same configuration on the 14.0 and 14.1 releases and the same error occurs in both versions. Best regards, Anderson --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-280407-227>