#2 bug: pam_krb5 adding second @DOMAIN when canonicalize = true
Opened 6 years ago by jackal242. Modified 3 months ago

The pam_krb5.so module is adding a second @DOMAIN to the request when canonicalize = true in /etc/krb5.conf causing a "Malformed representation of principal".

I believe this is the code that's broken here --> https://pagure.io/pam_krb5/blob/master/f/src/v5.c#_1839-1853

EXAMPLE OF THE BUG:

SUCCESS (canonicalize = false in /etc/krb5.conf):
pam_krb5[6127]: keytab: FILE:/etc/krb5.keytab
pam_krb5[6127]: token strategy: v4,524,2b,rxk5
pam_krb5[6127]: called to authenticate 'brad.allison', realm 'CORP.MYDOMAIN.COM'
pam_krb5[6127]: authenticating 'brad.allison@CORP.MYDOMAIN.COM'
pam_krb5[6127]: saving newly-entered password for use by other modules
pam_krb5[6127]: trying newly-entered password for 'brad.allison', allowing libkrb5 to prompt for more
pam_krb5[6127]: authenticating 'brad.allison@CORP.MYDOMAIN.COM' to 'krbtgt/CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM'
pam_krb5[6127]: krb5_get_init_creds_password(krbtgt/CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM) returned 0 (Success)
pam_krb5[6127]: validating credentials
pam_krb5[6127]: TGT verified using key for 'host/myhost.corp.mydomain.com@CORP.MYDOMAIN.COM'

FAILED (canonicalize = true in /etc/krb5.conf)):
pam_krb5[6127]: keytab: FILE:/etc/krb5.keytab
pam_krb5[6127]: token strategy: v4,524,2b,rxk5
pam_krb5[6127]: called to authenticate 'brad.allison', realm 'CORP.MYDOMAIN.COM'
pam_krb5[6127]: authenticating 'brad.allison\@CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM'
pam_krb5[6127]: saving newly-entered password for use by other modules
pam_krb5[6127]: trying newly-entered password for 'brad.allison', allowing libkrb5 to prompt for more
pam_krb5[6127]: authenticating 'brad.allison\@CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM' to 'krbtgt/CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM'
pam_krb5[6127]: krb5_get_init_creds_password(krbtgt/CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM) returned -1765328250 (Malformed representation of principal)
pam_krb5[6127]: got result -1765328250 (Malformed representation of principal)
pam_krb5[6127]: authentication fails for 'brad.allison' (brad.allison\@CORP.MYDOMAIN.COM@CORP.MYDOMAIN.COM): Authentication failure (Malformed representation of principal)
pam_krb5[6127]: pam_authenticate returning 7 (Authentication failure)
pam_krb5[6127]: default/local realm 'CORP.MYDOMAIN.COM'
pam_krb5[6127]: configured realm 'CORP.MYDOMAIN.COM'


Here's how i'm testing the canonicalize = true in /etc/krb5.conf:

[appdefaults]
pam = {
forwardable = true
validate = true
debug = true
canonicalize = true
}

@jackal242 note that I got it working with pam_sss as described in the https://pagure.io/SSSD/sssd/issue/3765 SSSD issue.

Log in to comment on this ticket.

Metadata