[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC
- In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 21 Dec 2022 04:20:43 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186 --- Comment #40 from Cy Schubert <cy@FreeBSD.org> --- (In reply to amendlik from comment #39) I haven't reached any conclusions yet. I don't know if FreeBSD Heimdal is at fault. It could be. Even if it is there is no quick solution. The progress with the 7.8.0 project has been slow due to numerous regressions. If I had to guess I'd say it might be ready by summer 2023. In the mean time we need to find a workaround. Rather than use pam_krb5 from ports (which will require patching openssh with the attached patch), let's try something less involved. Let's install openssh-portable-gssapi. (I hadn't realized that openssh-portable was converted to using flavors instead of static compiled-in options.) This will give me the same information as patching the base O/S and installing pam_krb5 package. All we need to do is isolate the problem to FreeBSD or not. This will tell us that. Let me reiterate that OpenSSH 7.8.0 is far from ready to import into FreeBSD. There are too many regressions that need to be addressed first (like ftpd allowing logins from Kerberos accounts with incorrect password when no TGT is presented). The reason for this are two shims created years ago to translate tickets call Heimdal functions that have radically changed. Functions that no longer take tickets as arguments, taking principals instead. Something is lost in the translation. You can understand why this is taking as long as it is. -- You are receiving this mail because: You are the assignee for the bug.