Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1034659: freeipa-client: IPA client Kerberos configuration incompatible with java
365 views
Skip to first unread message
Mathieu Baudier
Apr 21, 2023, 12:40:05 AM4/21/23
to
Package: freeipa-client
Version: 4.9.11-1
Severity: normal
Dear Maintainer,
on a host enrolled as an IPA client, Kerberos is not usable in Java.
The error message is:
KrbException: krb5.conf loading failed
(please find simple steps to reproduce below)
After debugging step by step, I found out that this is due to the fact
that the following Kerberos configuration directory
/var/lib/sss/pubconf/krb5.include.d/
ends up being included twice and that Java rejects multiple includes of the same directory.
This directory is included:
- in the configuration file /etc/krb5.conf.d/enable_sssd_conf_dir
which is deployed by the installation of the *package* freeipa-client
(probably indirectly by one of the sssd packages?)
- in the configuration file /etc/krb5.conf
which is generated by the ipa-client-install procedure
As a workaround, commenting out the includedir line in
/etc/krb5.conf.d/enable_sssd_conf_dir
(or completely removing this file, since it contains only this line)
solves the problem.
Please note that:
- the issue occurs with Java 17, 11 and 21 (and most likely other available Java versions)
- the issue does NOT occur on bullseye with freeipa-client from backports
(which we have been using in production for a while)
In order to reproduce (on a host enrolled as an IPA client), using the standard Java JAAS Kerberos example:
https://docs.oracle.com/en/java/javase/17/security/jaas-authentication.html
(just copy JaasAcn.java and jaas.conf in the same directory; no need to compile)
$ /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Djava.security.auth.login.config=jaas.conf JaasAcn.java
Kerberos username [mbaudier]:
Authentication failed:
KrbException: krb5.conf loading failed
And the workaround:
$ sudo mv /etc/krb5.conf.d/enable_sssd_conf_dir /tmp
$ /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Djava.security.auth.login.config=jaas.conf JaasAcn.java
Kerberos username [mbaudier]:
Kerberos password for mbaudier:
Authentication succeeded!
-- System Information:
Debian Release: 12.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.14.0-162.23.1.el9_1.x86_64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages freeipa-client depends on:
ii bind9-dnsutils [dnsutils] 1:9.18.13-1
ii bind9-utils 1:9.18.13-1
ii certmonger 0.79.17-2
ii curl 7.88.1-9
ii dnsutils 1:9.18.13-1
ii freeipa-common 4.9.11-1
ii krb5-user 1.20.1-1+b1
ii libc6 2.36-9
ii libcom-err2 1.47.0-2
ii libcurl4 7.88.1-9
ii libini-config5 0.6.2-1
ii libjansson4 2.14-2
ii libk5crypto3 1.20.1-1+b1
ii libkrb5-3 1.20.1-1+b1
ii libldap-2.5-0 2.5.13+dfsg-5
ii libnss-sss 2.8.2-4
ii libnss3-tools 2:3.89-2
ii libpam-sss 2.8.2-4
ii libpopt0 1.19+dfsg-1
ii libsasl2-modules-gssapi-mit 2.1.28+dfsg-11
ii libssl3 3.0.8-1
ii libsss-sudo 2.8.2-4
ii oddjob-mkhomedir 0.34.7-1+b2
ii python3 3.11.2-1+b1
ii python3-dnspython 2.3.0-1
ii python3-gssapi 1.8.2-1+b1
ii python3-ipaclient 4.9.11-1
ii python3-ldap 3.4.3-2+b2
ii python3-sss 2.8.2-4
ii sssd 2.8.2-4
Versions of packages freeipa-client recommends:
ii chrony 4.3-2
Versions of packages freeipa-client suggests:
pn libpam-krb5 <none>
-- no debconf information
Version: 4.9.11-1
Severity: normal
Dear Maintainer,
on a host enrolled as an IPA client, Kerberos is not usable in Java.
The error message is:
KrbException: krb5.conf loading failed
(please find simple steps to reproduce below)
After debugging step by step, I found out that this is due to the fact
that the following Kerberos configuration directory
/var/lib/sss/pubconf/krb5.include.d/
ends up being included twice and that Java rejects multiple includes of the same directory.
This directory is included:
- in the configuration file /etc/krb5.conf.d/enable_sssd_conf_dir
which is deployed by the installation of the *package* freeipa-client
(probably indirectly by one of the sssd packages?)
- in the configuration file /etc/krb5.conf
which is generated by the ipa-client-install procedure
As a workaround, commenting out the includedir line in
/etc/krb5.conf.d/enable_sssd_conf_dir
(or completely removing this file, since it contains only this line)
solves the problem.
Please note that:
- the issue occurs with Java 17, 11 and 21 (and most likely other available Java versions)
- the issue does NOT occur on bullseye with freeipa-client from backports
(which we have been using in production for a while)
In order to reproduce (on a host enrolled as an IPA client), using the standard Java JAAS Kerberos example:
https://docs.oracle.com/en/java/javase/17/security/jaas-authentication.html
(just copy JaasAcn.java and jaas.conf in the same directory; no need to compile)
$ /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Djava.security.auth.login.config=jaas.conf JaasAcn.java
Kerberos username [mbaudier]:
Authentication failed:
KrbException: krb5.conf loading failed
And the workaround:
$ sudo mv /etc/krb5.conf.d/enable_sssd_conf_dir /tmp
$ /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Djava.security.auth.login.config=jaas.conf JaasAcn.java
Kerberos username [mbaudier]:
Kerberos password for mbaudier:
Authentication succeeded!
-- System Information:
Debian Release: 12.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.14.0-162.23.1.el9_1.x86_64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages freeipa-client depends on:
ii bind9-dnsutils [dnsutils] 1:9.18.13-1
ii bind9-utils 1:9.18.13-1
ii certmonger 0.79.17-2
ii curl 7.88.1-9
ii dnsutils 1:9.18.13-1
ii freeipa-common 4.9.11-1
ii krb5-user 1.20.1-1+b1
ii libc6 2.36-9
ii libcom-err2 1.47.0-2
ii libcurl4 7.88.1-9
ii libini-config5 0.6.2-1
ii libjansson4 2.14-2
ii libk5crypto3 1.20.1-1+b1
ii libkrb5-3 1.20.1-1+b1
ii libldap-2.5-0 2.5.13+dfsg-5
ii libnss-sss 2.8.2-4
ii libnss3-tools 2:3.89-2
ii libpam-sss 2.8.2-4
ii libpopt0 1.19+dfsg-1
ii libsasl2-modules-gssapi-mit 2.1.28+dfsg-11
ii libssl3 3.0.8-1
ii libsss-sudo 2.8.2-4
ii oddjob-mkhomedir 0.34.7-1+b2
ii python3 3.11.2-1+b1
ii python3-dnspython 2.3.0-1
ii python3-gssapi 1.8.2-1+b1
ii python3-ipaclient 4.9.11-1
ii python3-ldap 3.4.3-2+b2
ii python3-sss 2.8.2-4
ii sssd 2.8.2-4
Versions of packages freeipa-client recommends:
ii chrony 4.3-2
Versions of packages freeipa-client suggests:
pn libpam-krb5 <none>
-- no debconf information
Timo Aaltonen
Apr 21, 2023, 3:10:04 AM4/21/23
to
Okay, so it got added to sssd due to
https://github.com/SSSD/sssd/issues/5893
so I wonder if ipa should stop doing the same, and remove the line from
krb5.conf on upgrade.
--
t
Timo Aaltonen
Apr 21, 2023, 3:20:05 AM4/21/23
to
https://pagure.io/freeipa/issue/9267
but no fix available yet, so it needs to be fixed downstream first.
--
t
Mathieu Baudier
Apr 21, 2023, 4:00:04 AM4/21/23
to
> > Okay, so it got added to sssd due to
> >
> > https://github.com/SSSD/sssd/issues/5893
> >
> > so I wonder if ipa should stop doing the same, and remove the line
> > from
> > krb5.conf on upgrade.
>
> Seems this is filed upstream already at
>
> https://pagure.io/freeipa/issue/9267
>
> but no fix available yet, so it needs to be fixed downstream first.
Ok, I had missed that it was already filed upstream.
> >
> > https://github.com/SSSD/sssd/issues/5893
> >
> > so I wonder if ipa should stop doing the same, and remove the line
> > from
> > krb5.conf on upgrade.
>
> Seems this is filed upstream already at
>
> https://pagure.io/freeipa/issue/9267
>
> but no fix available yet, so it needs to be fixed downstream first.
Actually, the issue also occurs on RHEL 9.
I am well set up to test a patched Debian package if it can be helpful.
As I described in the original bug report above, the workaround is
either to delete /etc/krb5.conf.d/enable_sssd_conf_dir or to comment
the includedir line out.
It could be more robust to patch it at this level since
/etc/krb5.conf.d/enable_sssd_conf_dir is a static file, while
/etc/krb5.conf is modified by ipa-client-install. But on the long run,
the upstream fix will probably be at IPA level as you suggested, so
maybe it is safer to keep a patch there, and not to impact sssd.
Timo Aaltonen
Apr 21, 2023, 4:30:04 AM4/21/23
to
cases where ipa is not involved.
--
t
0 new messages