Public bug reported: The trend for krb ccaches is to not use/set a KRB5CCNAME on login.
Ubuntu 22.04 is unable to perform authentication using the pam_sss_gss when a valid ccache is setup with credentials. networkuser@u2204host:~$ klist Ticket cache: FILE:/run/user/1234567890/krb5cc Default principal: NETWORKUSER@REALM [valid creds listed here] networkuser@u2204host:~$ sudo -i pam_sss_gss: sss_cli_getenv() call failed [2]: No such file or directory pam_sss_gss: User not found Please insert smart card Please (re)insert (different) Smartcard Please (re)insert (different) Smartcard sudo: a password is required This is fixed in sssd upstream in sss_cli_getenv(). It appears that the sssd package is missing the following simple patch. https://github.com/SSSD/sssd/commit/9aad30711a5928f0e8a3627305b6449291de507f This should be a simple fix. I'm able to test PPA packages. This is blocking for multi-factor-authentication enforcement deployment and critical to all orgs that need MFA deployed on all U22.04 systems. I'm not flagging this as a security vulnerability, but it does track as MFA enforcement can't be enabled until this is resolved and considered a vulnerability by NIST policy. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: sssd 2.6.3-1ubuntu3.4 ProcVersionSignature: Ubuntu 5.15.0-134.145-generic 5.15.173 Uname: Linux 5.15.0-134-generic x86_64 NonfreeKernelModules: yfs ApportVersion: 2.20.11-0ubuntu82.6 Architecture: amd64 CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config Date: Wed Mar 19 09:35:14 2025 InstallationDate: Installed on 2023-11-20 (484 days ago) InstallationMedia: Ubuntu-Server 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230810) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: sssd UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: sssd (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug jammy uec-images ** Description changed: - The trend for krb ccaches is to not use/set a KRB5CCNAME on login. Ubuntu 22.04 is unable to perform authentication using the pam_sss_gss when a valid ccache is setup with credentials. networkuser@u2204host:~$ klist - Ticket cache: FILE:/run/user/966406121/krb5cc - Default principal: [email protected] + Ticket cache: FILE:/run/user/1234567890/krb5cc + Default principal: NETWORKUSER@REALM [valid creds listed here] networkuser@u2204host:~$ sudo -i pam_sss_gss: sss_cli_getenv() call failed [2]: No such file or directory pam_sss_gss: User not found Please insert smart card Please (re)insert (different) Smartcard Please (re)insert (different) Smartcard sudo: a password is required - - This is fixed in sssd upstream in sss_cli_getenv(). It appears that the sssd package is missing the following simple patch. + This is fixed in sssd upstream in sss_cli_getenv(). It appears that the + sssd package is missing the following simple patch. https://github.com/SSSD/sssd/commit/9aad30711a5928f0e8a3627305b6449291de507f This should be a simple fix. I'm able to test PPA packages. This is blocking for multi-factor-authentication enforcement deployment and critical to all orgs that need MFA deployed on all U22.04 systems. I'm not flagging this as a security vulnerability, but it does track as MFA enforcement can't be enabled until this is resolved and considered a vulnerability by NIST policy. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: sssd 2.6.3-1ubuntu3.4 ProcVersionSignature: Ubuntu 5.15.0-134.145-generic 5.15.173 Uname: Linux 5.15.0-134-generic x86_64 NonfreeKernelModules: yfs ApportVersion: 2.20.11-0ubuntu82.6 Architecture: amd64 CasperMD5CheckResult: pass CloudArchitecture: x86_64 CloudID: none CloudName: none CloudPlatform: none CloudSubPlatform: config Date: Wed Mar 19 09:35:14 2025 InstallationDate: Installed on 2023-11-20 (484 days ago) InstallationMedia: Ubuntu-Server 22.04.3 LTS "Jammy Jellyfish" - Release amd64 (20230810) ProcEnviron: - TERM=xterm-256color - PATH=(custom, no user) - LANG=en_US.UTF-8 - SHELL=/bin/bash + TERM=xterm-256color + PATH=(custom, no user) + LANG=en_US.UTF-8 + SHELL=/bin/bash SourcePackage: sssd UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2103623 Title: pam_sss_gss fails to work when KRB5CCNAME is not set - missing upstream patch To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2103623/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
