Date: Fri, 26 Jul 2024 20:40:27 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 280407] Authentication fails when using pam_krb5.so Message-ID: <bug-280407-227-JC5rzt4HTw@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-280407-227@https.bugs.freebsd.org/bugzilla/> References: <bug-280407-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | previous in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280407 --- Comment #5 from Dag-Erling Smørgrav <des@FreeBSD.org> --- First, “required” vs “sufficient” is a red herring. The module is returning an error. Second, it isn't true that the only change between 13.2 and 13.3 is 27968aa02206. Here is the complete list: https://cgit.freebsd.org/src/commit/?id=6322a6c9daaa https://cgit.freebsd.org/src/commit/?id=d295e418ae7e https://cgit.freebsd.org/src/commit/?id=3d497e17ebd3 https://cgit.freebsd.org/src/commit/?id=27968aa02206 We can see from the log that pam_sm_authenticate() is querying the allow_kdc_spoof option. This tells us that it failed to authenticate the KDC. Since the allow_kdc_spoof option is not set, it therefore refuses to authenticate the user. This check was added by the first commit in the list above, and amended by the second. Anderson, you need to either add the allow_kdc_spoof option to your PAM policy (see the link below for documentation) or ensure that the endpoint has a keytab with the KDC's key in it. https://man.freebsd.org/cgi/man.cgi?query=pam_krb5&manpath=FreeBSD+13.3-RELEASE -- You are receiving this mail because: You are the assignee for the bug.help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-280407-227-JC5rzt4HTw>