On Thu, 2022-06-02 at 13:33 +0200, Pavel Březina via FreeIPA-users wrote: > # SSSD 2.7.1 > > > ### Configuration changes > > * New option `implicit_pac_responder` to control if the PAC responder > is > started for the IPA and AD providers, default is `true`. > * New option `krb5_check_pac` to control the PAC validation behavior. > * multiple `crl_file` arguments can be used in the > `certificate_verification` option.
I updated my Fedora 36 desktop a few minutes ago, which installed the new sssd and related packages. I rebooted since a new kernel was also installed. When I tried to login to GNOME, I got an error. I used a local account to get in and to check my freeipa user account. The pwd worked fine on my other machines and on the web UI. I poked around somemore and found this in krb5_child.log: (2022-06-08 0:43:37): [krb5_child[9120]] [validate_tgt] (0x0020): [RID#196] PAC check failed for principal [[email protected]]. (2022-06-08 0:43:37): [krb5_child[9120]] [get_and_save_tgt] (0x0020): [RID#196] 2045: [1432158308][Unknown code UUz 100] ********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE: * (2022-06-08 0:43:37): [krb5_child[9120]] [validate_tgt] (0x0020): [RID#196] PAC check failed for principal [[email protected]]. * (2022-06-08 0:43:37): [krb5_child[9120]] [get_and_save_tgt] (0x0020): [RID#196] 2045: [1432158308][Unknown code UUz 100] ********************** BACKTRACE DUMP ENDS HERE ********************************* There's more before that. I also saw this in sssd's journal (it's in reverse): Jun 08 00:29:21 host.domain.tld krb5_child[2270952]: Preauthentication failed Jun 08 00:29:21 host.domain.tld krb5_child[2270952]: Preauthentication failed Jun 08 00:29:07 host.domain.tld krb5_child[2270889]: Preauthentication failed Jun 08 00:29:07 host.domain.tld krb5_child[2270889]: Preauthentication failed Jun 08 00:29:01 host.domain.tld krb5_child[2270848]: Unknown code UUz 100 Jun 08 00:28:52 host.domain.tld krb5_child[2270818]: Unknown code UUz 100 Jun 08 00:28:45 host.domain.tld krb5_child[2270782]: Unknown code UUz 100 Jun 08 00:15:15 host.domain.tld sssd_be[2249888]: GSSAPI client step 2 Jun 08 00:15:15 host.domain.tld sssd_be[2249888]: GSSAPI client step 1 Jun 08 00:15:15 host.domain.tld systemd[1]: Started sssd.service - System Security Services Daemon. No amount of reboots or sssd restarts fixed the problem, so I downgraded all of the sssd related packages. After that was done, I was able to login again. Do I have a misconfiguration or is it a bug? -- Ranbir _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
