Timo Aaltonen kirjoitti 21.4.2023 klo 9.59:
Mathieu Baudier kirjoitti 21.4.2023 klo 7.19:
Package: freeipa-client
Version: 4.9.11-1
Severity: normal
Dear Maintainer,
on a host enrolled as an IPA client, Kerberos is not usable in Java.
The error message is:
KrbException: krb5.conf loading failed
(please find simple steps to reproduce below)
After debugging step by step, I found out that this is due to the fact
that the following Kerberos configuration directory
/var/lib/sss/pubconf/krb5.include.d/
ends up being included twice and that Java rejects multiple includes
of the same directory.
This directory is included:
- in the configuration file /etc/krb5.conf.d/enable_sssd_conf_dir
which is deployed by the installation of the *package* freeipa-client
(probably indirectly by one of the sssd packages?)
- in the configuration file /etc/krb5.conf
which is generated by the ipa-client-install procedure
As a workaround, commenting out the includedir line in
/etc/krb5.conf.d/enable_sssd_conf_dir
(or completely removing this file, since it contains only this line)
solves the problem.
Please note that:
- the issue occurs with Java 17, 11 and 21 (and most likely other
available Java versions)
- the issue does NOT occur on bullseye with freeipa-client from backports
(which we have been using in production for a while)
In order to reproduce (on a host enrolled as an IPA client), using the
standard Java JAAS Kerberos example:
https://docs.oracle.com/en/java/javase/17/security/jaas-authentication.html
(just copy JaasAcn.java and jaas.conf in the same directory; no need
to compile)
$ /usr/lib/jvm/java-17-openjdk-amd64/bin/java
-Djava.security.auth.login.config=jaas.conf JaasAcn.java
Kerberos username [mbaudier]:
Authentication failed:
KrbException: krb5.conf loading failed
And the workaround:
$ sudo mv /etc/krb5.conf.d/enable_sssd_conf_dir /tmp
$ /usr/lib/jvm/java-17-openjdk-amd64/bin/java
-Djava.security.auth.login.config=jaas.conf JaasAcn.java
Kerberos username [mbaudier]:
Kerberos password for mbaudier:
Authentication succeeded!
Hi,
Okay, so it got added to sssd due to
https://github.com/SSSD/sssd/issues/5893
so I wonder if ipa should stop doing the same, and remove the line from
krb5.conf on upgrade.
Seems this is filed upstream already at
https://pagure.io/freeipa/issue/9267
but no fix available yet, so it needs to be fixed downstream first.
--
t