[Bug 280407] Authentication fails when using pam_krb5.so

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 280407] Authentication fails when using pam_krb5.so"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 26 Jul 2024 20:40:27 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280407

--- Comment #5 from Dag-Erling Smørgrav <des@FreeBSD.org> ---
First, “required” vs “sufficient” is a red herring.  The module is returning an
error.  

Second, it isn't true that the only change between 13.2 and 13.3 is
27968aa02206.  Here is the complete list:

https://cgit.freebsd.org/src/commit/?id=6322a6c9daaa
https://cgit.freebsd.org/src/commit/?id=d295e418ae7e
https://cgit.freebsd.org/src/commit/?id=3d497e17ebd3
https://cgit.freebsd.org/src/commit/?id=27968aa02206

We can see from the log that pam_sm_authenticate() is querying the
allow_kdc_spoof option.  This tells us that it failed to authenticate the KDC. 
Since the allow_kdc_spoof option is not set, it therefore refuses to
authenticate the user.  

This check was added by the first commit in the list above, and amended by the
second.

Anderson, you need to either add the allow_kdc_spoof option to your PAM policy
(see the link below for documentation) or ensure that the endpoint has a keytab
with the KDC's key in it.

https://man.freebsd.org/cgi/man.cgi?query=pam_krb5&manpath=FreeBSD+13.3-RELEASE

-- 
You are receiving this mail because:
You are the assignee for the bug.