[Bug 280407] Authentication fails when using pam_krb5.so

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 22 Jul 2024 14:04:00 UTC 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280407

            Bug ID: 280407
           Summary: Authentication fails when using pam_krb5.so
           Product: Base System
           Version: 13.3-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: anderson.soares@embrapa.br

Since I've upgraded one of our server from FreeBSD 13.2 to 13.3, our users are
getting authentication errors when they try to use our web proxy service, which
authenticate users against pam_krb5 module.
Using the pamtester utility and enabling pam_krb5 debug I could confirm that
authentication is failing every time pam_krb5 is called. I also noticed the
following messages in debug log:

Jul 22 10:09:54 vm3 pamtester[27135]: in pam_get_user(): entering
Jul 22 10:09:54 vm3 pamtester[27135]: in pam_get_item(): entering: PAM_USER
Jul 22 10:09:54 vm3 pamtester[27135]: in pam_get_item(): returning PAM_SUCCESS
Jul 22 10:09:54 vm3 pamtester[27135]: in pam_get_user(): returning PAM_SUCCESS
Jul 22 10:09:54 vm3 pamtester[27135]: in pam_sm_authenticate(): Got user:
anderson
Jul 22 10:09:54 vm3 pamtester[27135]: in pam_get_item(): entering: PAM_RUSER
Jul 22 10:09:54 vm3 pamtester[27135]: in pam_get_item(): returning PAM_SUCCESS
Jul 22 10:09:54 vm3 pamtester[27135]: in pam_sm_authenticate(): Got ruser:
(null)
Jul 22 10:09:54 vm3 pamtester[27135]: in pam_get_item(): entering: PAM_SERVICE
Jul 22 10:09:54 vm3 pamtester[27135]: in pam_get_item(): returning PAM_SUCCESS
Jul 22 10:09:54 vm3 pamtester[27135]: in pam_sm_authenticate(): Got service:
squid
Jul 22 10:09:54 vm3 pamtester[27135]: in pam_sm_authenticate(): Context
initialised
Jul 22 10:09:54 vm3 pamtester[27135]: in openpam_get_option(): entering:
'debug'
Jul 22 10:09:54 vm3 pamtester[27135]: in openpam_get_option(): returning ''
Jul 22 10:09:54 vm3 pam_krb5[27135]: in openpam_get_option(): entering:
'allow_kdc_spoof'
Jul 22 10:09:54 vm3 pamtester[27135]: in pam_sm_authenticate(): Done cleanup4
Jul 22 10:09:54 vm3 pamtester[27135]: in pam_sm_authenticate(): Done cleanup5
Jul 22 10:09:54 vm3 pamtester[27135]: in openpam_get_option(): entering:
'no_warn'
Jul 22 10:09:54 vm3 pamtester[27135]: in openpam_get_option(): returning ''
Jul 22 10:09:54 vm3 pamtester[27135]: in pam_sm_authenticate(): Done cleanup6
Jul 22 10:09:54 vm3 pamtester[27135]: in openpam_dispatch():
/usr/lib/pam_krb5.so.6: pam_sm_authenticate(): Error in service module
Jul 22 10:09:54 vm3 pam_krb5[27135]: in openpam_get_option(): returning NULL

The problem seems to be related to pam_krb5 since kerberos authentication using
the kinit utility works fine. Supposing that the problem could be caused by
some error in the service configuration file, I've tried different pam service
configurations but anyone solved the problem. Further tests have showed that
even the default system service configuration fails when the pam_krb5 line is
uncommented. This is the pam service file I'm using:

auth            required        pam_krb5.so             debug no_warn
try_first_pass no_ccache no_user_check
account         required        pam_permit.so
session         required        pam_lastlog.so          no_fail
password        required        pam_deny.so


As an additional information, I've also tested the same configuration on the
14.0 and 14.1 releases and the same error occurs in both versions.

Best regards,

Anderson

-- 
You are receiving this mail because:
You are the assignee for the bug.