[Pkg-freeipa-devel] Bug#1034659: Bug#1034659: Bug#1034659: freeipa-client: IPA client Kerberos configuration incompatible with java

Timo Aaltonen tjaalton at debian.org
Fri Apr 21 08:14:11 BST 2023 

Timo Aaltonen kirjoitti 21.4.2023 klo 9.59:
> Mathieu Baudier kirjoitti 21.4.2023 klo 7.19:
>> Package: freeipa-client
>> Version: 4.9.11-1
>> Severity: normal
>>
>> Dear Maintainer,
>>
>>
>> on a host enrolled as an IPA client, Kerberos is not usable in Java.
>>
>> The error message is:
>>    KrbException: krb5.conf loading failed
>>
>> (please find simple steps to reproduce below)
>>
>> After debugging step by step, I found out that this is due to the fact
>> that the following Kerberos configuration directory
>> /var/lib/sss/pubconf/krb5.include.d/
>> ends up being included twice and that Java rejects multiple includes 
>> of the same directory.
>>
>> This directory is included:
>>
>> - in the configuration file /etc/krb5.conf.d/enable_sssd_conf_dir
>> which is deployed by the installation of the *package* freeipa-client
>> (probably indirectly by one of the sssd packages?)
>>
>> - in the configuration file /etc/krb5.conf
>> which is generated by the ipa-client-install procedure
>>
>> As a workaround, commenting out the includedir line in
>> /etc/krb5.conf.d/enable_sssd_conf_dir
>> (or completely removing this file, since it contains only this line)
>> solves the problem.
>>
>> Please note that:
>> - the issue occurs with Java 17, 11 and 21 (and most likely other 
>> available Java versions)
>> - the issue does NOT occur on bullseye with freeipa-client from backports
>> (which we have been using in production for a while)
>>
>> In order to reproduce (on a host enrolled as an IPA client), using the 
>> standard Java JAAS Kerberos example:
>> https://docs.oracle.com/en/java/javase/17/security/jaas-authentication.html
>> (just copy JaasAcn.java and jaas.conf in the same directory; no need 
>> to compile)
>>
>> $ /usr/lib/jvm/java-17-openjdk-amd64/bin/java 
>> -Djava.security.auth.login.config=jaas.conf JaasAcn.java
>> Kerberos username [mbaudier]:
>> Authentication failed:
>>    KrbException: krb5.conf loading failed
>>
>> And the workaround:
>>
>> $ sudo mv /etc/krb5.conf.d/enable_sssd_conf_dir /tmp
>>
>> $ /usr/lib/jvm/java-17-openjdk-amd64/bin/java 
>> -Djava.security.auth.login.config=jaas.conf JaasAcn.java
>> Kerberos username [mbaudier]:
>> Kerberos password for mbaudier:
>> Authentication succeeded!
> 
> Hi,
> 
> Okay, so it got added to sssd due to
> 
> https://github.com/SSSD/sssd/issues/5893
> 
> so I wonder if ipa should stop doing the same, and remove the line from 
> krb5.conf on upgrade.

Seems this is filed upstream already at

https://pagure.io/freeipa/issue/9267

but no fix available yet, so it needs to be fixed downstream first.

-- 
t

More information about the Pkg-freeipa-devel mailing list