The pam_krb5.so module is adding a second @DOMAIN to the request when canonicalize = true in /etc/krb5.conf causing a "Malformed representation of principal".
I believe this is the code that's broken here --> https://pagure.io/pam_krb5/blob/master/f/src/v5.c#_1839-1853
EXAMPLE OF THE BUG:
SUCCESS (canonicalize = false in /etc/krb5.conf): pam_krb5[6127]: keytab: FILE:/etc/krb5.keytab pam_krb5[6127]: token strategy: v4,524,2b,rxk5 pam_krb5[6127]: called to authenticate 'brad.allison', realm 'CORP.MYDOMAIN.COM' pam_krb5[6127]: authenticating 'brad.allison@CORP.MYDOMAIN.COM' pam_krb5[6127]: saving newly-entered password for use by other modules pam_krb5[6127]: trying newly-entered password for 'brad.allison', allowing libkrb5 to prompt for more pam_krb5[6127]: authenticating 'brad.allison@CORP.MYDOMAIN.COM' to 'krbtgt/CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM' pam_krb5[6127]: krb5_get_init_creds_password(krbtgt/CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM) returned 0 (Success) pam_krb5[6127]: validating credentials pam_krb5[6127]: TGT verified using key for 'host/myhost.corp.mydomain.com@CORP.MYDOMAIN.COM'
FAILED (canonicalize = true in /etc/krb5.conf)): pam_krb5[6127]: keytab: FILE:/etc/krb5.keytab pam_krb5[6127]: token strategy: v4,524,2b,rxk5 pam_krb5[6127]: called to authenticate 'brad.allison', realm 'CORP.MYDOMAIN.COM' pam_krb5[6127]: authenticating 'brad.allison\@CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM' pam_krb5[6127]: saving newly-entered password for use by other modules pam_krb5[6127]: trying newly-entered password for 'brad.allison', allowing libkrb5 to prompt for more pam_krb5[6127]: authenticating 'brad.allison\@CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM' to 'krbtgt/CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM' pam_krb5[6127]: krb5_get_init_creds_password(krbtgt/CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM) returned -1765328250 (Malformed representation of principal) pam_krb5[6127]: got result -1765328250 (Malformed representation of principal) pam_krb5[6127]: authentication fails for 'brad.allison' (brad.allison\@CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM): Authentication failure (Malformed representation of principal) pam_krb5[6127]: pam_authenticate returning 7 (Authentication failure) pam_krb5[6127]: default/local realm 'CORP.MYDOMAIN.COM' pam_krb5[6127]: configured realm 'CORP.MYDOMAIN.COM'
Here's how i'm testing the canonicalize = true in /etc/krb5.conf:
[appdefaults] pam = { forwardable = true validate = true debug = true canonicalize = true }
@jackal242 note that I got it working with pam_sss as described in the https://pagure.io/SSSD/sssd/issue/3765 SSSD issue.
pam_sss
Log in to comment on this ticket.