Date: Fri, 26 Jul 2024 20:40:27 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 280407] Authentication fails when using pam_krb5.so Message-ID: <bug-280407-227-JC5rzt4HTw@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-280407-227@https.bugs.freebsd.org/bugzilla/> References: <bug-280407-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280407 --- Comment #5 from Dag-Erling Sm=C3=B8rgrav <des@FreeBSD.org> --- First, =E2=80=9Crequired=E2=80=9D vs =E2=80=9Csufficient=E2=80=9D is a red = herring. The module is returning an error.=20=20 Second, it isn't true that the only change between 13.2 and 13.3 is 27968aa02206. Here is the complete list: https://cgit.freebsd.org/src/commit/?id=3D6322a6c9daaa https://cgit.freebsd.org/src/commit/?id=3Dd295e418ae7e https://cgit.freebsd.org/src/commit/?id=3D3d497e17ebd3 https://cgit.freebsd.org/src/commit/?id=3D27968aa02206 We can see from the log that pam_sm_authenticate() is querying the allow_kdc_spoof option. This tells us that it failed to authenticate the K= DC.=20 Since the allow_kdc_spoof option is not set, it therefore refuses to authenticate the user.=20=20 This check was added by the first commit in the list above, and amended by = the second. Anderson, you need to either add the allow_kdc_spoof option to your PAM pol= icy (see the link below for documentation) or ensure that the endpoint has a ke= ytab with the KDC's key in it. https://man.freebsd.org/cgi/man.cgi?query=3Dpam_krb5&manpath=3DFreeBSD+13.3= -RELEASE --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-280407-227-JC5rzt4HTw>