[Pkg-freeipa-devel] Bug#1034659: freeipa-client: IPA client Kerberos configuration incompatible with java
Mathieu Baudier
mbaudier at argeo.org
Fri Apr 21 05:19:39 BST 2023
Package: freeipa-client
Version: 4.9.11-1
Severity: normal
Dear Maintainer,
on a host enrolled as an IPA client, Kerberos is not usable in Java.
The error message is:
KrbException: krb5.conf loading failed
(please find simple steps to reproduce below)
After debugging step by step, I found out that this is due to the fact
that the following Kerberos configuration directory
/var/lib/sss/pubconf/krb5.include.d/
ends up being included twice and that Java rejects multiple includes of the same directory.
This directory is included:
- in the configuration file /etc/krb5.conf.d/enable_sssd_conf_dir
which is deployed by the installation of the *package* freeipa-client
(probably indirectly by one of the sssd packages?)
- in the configuration file /etc/krb5.conf
which is generated by the ipa-client-install procedure
As a workaround, commenting out the includedir line in
/etc/krb5.conf.d/enable_sssd_conf_dir
(or completely removing this file, since it contains only this line)
solves the problem.
Please note that:
- the issue occurs with Java 17, 11 and 21 (and most likely other available Java versions)
- the issue does NOT occur on bullseye with freeipa-client from backports
(which we have been using in production for a while)
In order to reproduce (on a host enrolled as an IPA client), using the standard Java JAAS Kerberos example:
https://docs.oracle.com/en/java/javase/17/security/jaas-authentication.html
(just copy JaasAcn.java and jaas.conf in the same directory; no need to compile)
$ /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Djava.security.auth.login.config=jaas.conf JaasAcn.java
Kerberos username [mbaudier]:
Authentication failed:
KrbException: krb5.conf loading failed
And the workaround:
$ sudo mv /etc/krb5.conf.d/enable_sssd_conf_dir /tmp
$ /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Djava.security.auth.login.config=jaas.conf JaasAcn.java
Kerberos username [mbaudier]:
Kerberos password for mbaudier:
Authentication succeeded!
-- System Information:
Debian Release: 12.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.14.0-162.23.1.el9_1.x86_64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages freeipa-client depends on:
ii bind9-dnsutils [dnsutils] 1:9.18.13-1
ii bind9-utils 1:9.18.13-1
ii certmonger 0.79.17-2
ii curl 7.88.1-9
ii dnsutils 1:9.18.13-1
ii freeipa-common 4.9.11-1
ii krb5-user 1.20.1-1+b1
ii libc6 2.36-9
ii libcom-err2 1.47.0-2
ii libcurl4 7.88.1-9
ii libini-config5 0.6.2-1
ii libjansson4 2.14-2
ii libk5crypto3 1.20.1-1+b1
ii libkrb5-3 1.20.1-1+b1
ii libldap-2.5-0 2.5.13+dfsg-5
ii libnss-sss 2.8.2-4
ii libnss3-tools 2:3.89-2
ii libpam-sss 2.8.2-4
ii libpopt0 1.19+dfsg-1
ii libsasl2-modules-gssapi-mit 2.1.28+dfsg-11
ii libssl3 3.0.8-1
ii libsss-sudo 2.8.2-4
ii oddjob-mkhomedir 0.34.7-1+b2
ii python3 3.11.2-1+b1
ii python3-dnspython 2.3.0-1
ii python3-gssapi 1.8.2-1+b1
ii python3-ipaclient 4.9.11-1
ii python3-ldap 3.4.3-2+b2
ii python3-sss 2.8.2-4
ii sssd 2.8.2-4
Versions of packages freeipa-client recommends:
ii chrony 4.3-2
Versions of packages freeipa-client suggests:
pn libpam-krb5 <none>
-- no debconf information
More information about the Pkg-freeipa-devel
mailing list