Bug#1034659: [Pkg-freeipa-devel] Bug#1034659: Bug#1034659: freeipa-client: IPA client Kerberos configuration incompatible with java

Fri, 21 Apr 2023 00:15:13 -0700 

Timo Aaltonen kirjoitti 21.4.2023 klo 9.59:

Mathieu Baudier kirjoitti 21.4.2023 klo 7.19:

Package: freeipa-client
Version: 4.9.11-1
Severity: normal

Dear Maintainer,


on a host enrolled as an IPA client, Kerberos is not usable in Java.

The error message is:
   KrbException: krb5.conf loading failed

(please find simple steps to reproduce below)

After debugging step by step, I found out that this is due to the fact
that the following Kerberos configuration directory
/var/lib/sss/pubconf/krb5.include.d/
ends up being included twice and that Java rejects multiple includes of the same directory. 

This directory is included:

- in the configuration file /etc/krb5.conf.d/enable_sssd_conf_dir
which is deployed by the installation of the *package* freeipa-client
(probably indirectly by one of the sssd packages?)

- in the configuration file /etc/krb5.conf
which is generated by the ipa-client-install procedure

As a workaround, commenting out the includedir line in
/etc/krb5.conf.d/enable_sssd_conf_dir
(or completely removing this file, since it contains only this line)
solves the problem.

Please note that:
- the issue occurs with Java 17, 11 and 21 (and most likely other available Java versions) 
- the issue does NOT occur on bullseye with freeipa-client from backports
(which we have been using in production for a while)
In order to reproduce (on a host enrolled as an IPA client), using the standard Java JAAS Kerberos example: 
https://docs.oracle.com/en/java/javase/17/security/jaas-authentication.html
(just copy JaasAcn.java and jaas.conf in the same directory; no need to compile)
$ /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Djava.security.auth.login.config=jaas.conf JaasAcn.java 
Kerberos username [mbaudier]:
Authentication failed:
   KrbException: krb5.conf loading failed

And the workaround:

$ sudo mv /etc/krb5.conf.d/enable_sssd_conf_dir /tmp
$ /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Djava.security.auth.login.config=jaas.conf JaasAcn.java 
Kerberos username [mbaudier]:
Kerberos password for mbaudier:
Authentication succeeded!


Hi,

Okay, so it got added to sssd due to

https://github.com/SSSD/sssd/issues/5893
so I wonder if ipa should stop doing the same, and remove the line from krb5.conf on upgrade. 

Seems this is filed upstream already at

https://pagure.io/freeipa/issue/9267

but no fix available yet, so it needs to be fixed downstream first.

--
t

Reply via email to