Hello Alexander, all packages should be current with default RHEL configuration:
krb5-workstation-1.18.2-26.el8_9.x86_64
krb5-pkinit-1.18.2-26.el8_9.x86_64
sssd-krb5-2.9.1-4.el8_9.x86_64
krb5-libs-1.18.2-26.el8_9.x86_64
krb5-server-1.18.2-26.el8_9.x86_64
sssd-krb5-common-2.9.1-4.el8_9.x86_64
cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
restrict_anonymous_to_tgt = true
spake_preauth_kdc_challenge = edwards25519
[realms]
ID.EXAMPLE.COM = {
master_key_type = aes256-cts
max_life = 7d
max_renewable_life = 14d
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
default_principal_flags = +preauth
; admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
pkinit_identity =
FILE:/var/kerberos/krb5kdc/kdc.crt,/var/kerberos/krb5kdc/kdc.key
pkinit_anchors = FILE:/var/kerberos/krb5kdc/kdc.crt pkinit_anchors = FILE:/var/kerberos/krb5kdc/cacert.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem pkinit_indicator = pkinit spake_preauth_indicator = hardened encrypted_challenge_indicator = hardened } [libdefaults] spake_preauth_kdc_challenge = edwards25519 /etc/krb5.conf and conf.d are in attached file. I do not see disable_pac anywhere. Thank you, Rasto
The error below tells that a user ticket did not have a PAC associated:Jan 11 17:41:35 ipa7.id.example.com krb5kdc[1230](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.112.65.75: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1704991295, etypes {rep=UNSUPPORTED:(0)} HTTP/[email protected] for ldap/[email protected], KDC policy rejects requestCan you also share your client and server's Kerberos configurations? configs and which rpms are used. It looks like either SID is missing in the user account and KDC is forced to ignore that (disable_pac = true in the realm configuration in kdc.conf). Or some flags are set on IPA services to force ignoring PAC checks. PAC presence is required for constrained delegation operations and we now enforce it for krb5 1.18 as well.
krb5.tar.gz
Description: application/gzip
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
