[Pkg-freeipa-devel] Bug#1034659: Bug#1034659: freeipa-client: IPA client Kerberos configuration incompatible with java

Timo Aaltonen tjaalton at debian.org
Fri Apr 21 07:59:30 BST 2023 

Mathieu Baudier kirjoitti 21.4.2023 klo 7.19:
> Package: freeipa-client
> Version: 4.9.11-1
> Severity: normal
> 
> Dear Maintainer,
> 
> 
> on a host enrolled as an IPA client, Kerberos is not usable in Java.
> 
> The error message is:
>    KrbException: krb5.conf loading failed
> 
> (please find simple steps to reproduce below)
> 
> After debugging step by step, I found out that this is due to the fact
> that the following Kerberos configuration directory
> /var/lib/sss/pubconf/krb5.include.d/
> ends up being included twice and that Java rejects multiple includes of the same directory.
> 
> This directory is included:
> 
> - in the configuration file /etc/krb5.conf.d/enable_sssd_conf_dir
> which is deployed by the installation of the *package* freeipa-client
> (probably indirectly by one of the sssd packages?)
> 
> - in the configuration file /etc/krb5.conf
> which is generated by the ipa-client-install procedure
> 
> As a workaround, commenting out the includedir line in
> /etc/krb5.conf.d/enable_sssd_conf_dir
> (or completely removing this file, since it contains only this line)
> solves the problem.
> 
> Please note that:
> - the issue occurs with Java 17, 11 and 21 (and most likely other available Java versions)
> - the issue does NOT occur on bullseye with freeipa-client from backports
> (which we have been using in production for a while)
> 
> In order to reproduce (on a host enrolled as an IPA client), using the standard Java JAAS Kerberos example:
> https://docs.oracle.com/en/java/javase/17/security/jaas-authentication.html
> (just copy JaasAcn.java and jaas.conf in the same directory; no need to compile)
> 
> $ /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Djava.security.auth.login.config=jaas.conf JaasAcn.java
> Kerberos username [mbaudier]:
> Authentication failed:
>    KrbException: krb5.conf loading failed
> 
> And the workaround:
> 
> $ sudo mv /etc/krb5.conf.d/enable_sssd_conf_dir /tmp
> 
> $ /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Djava.security.auth.login.config=jaas.conf JaasAcn.java
> Kerberos username [mbaudier]:
> Kerberos password for mbaudier:
> Authentication succeeded!

Hi,

Okay, so it got added to sssd due to

https://github.com/SSSD/sssd/issues/5893

so I wonder if ipa should stop doing the same, and remove the line from 
krb5.conf on upgrade.


-- 
t

More information about the Pkg-freeipa-devel mailing list