Your message dated Thu, 27 Apr 2023 14:49:32 +0000 with message-id <e1ps2w8-009uel...@fasolo.debian.org> and subject line Bug#1034659: fixed in freeipa 4.9.11-2 has caused the Debian Bug report #1034659, regarding freeipa-client: IPA client Kerberos configuration incompatible with java to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1034659: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034659 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: freeipa-client Version: 4.9.11-1 Severity: normal Dear Maintainer, on a host enrolled as an IPA client, Kerberos is not usable in Java. The error message is: KrbException: krb5.conf loading failed (please find simple steps to reproduce below) After debugging step by step, I found out that this is due to the fact that the following Kerberos configuration directory /var/lib/sss/pubconf/krb5.include.d/ ends up being included twice and that Java rejects multiple includes of the same directory. This directory is included: - in the configuration file /etc/krb5.conf.d/enable_sssd_conf_dir which is deployed by the installation of the *package* freeipa-client (probably indirectly by one of the sssd packages?) - in the configuration file /etc/krb5.conf which is generated by the ipa-client-install procedure As a workaround, commenting out the includedir line in /etc/krb5.conf.d/enable_sssd_conf_dir (or completely removing this file, since it contains only this line) solves the problem. Please note that: - the issue occurs with Java 17, 11 and 21 (and most likely other available Java versions) - the issue does NOT occur on bullseye with freeipa-client from backports (which we have been using in production for a while) In order to reproduce (on a host enrolled as an IPA client), using the standard Java JAAS Kerberos example: https://docs.oracle.com/en/java/javase/17/security/jaas-authentication.html (just copy JaasAcn.java and jaas.conf in the same directory; no need to compile) $ /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Djava.security.auth.login.config=jaas.conf JaasAcn.java Kerberos username [mbaudier]: Authentication failed: KrbException: krb5.conf loading failed And the workaround: $ sudo mv /etc/krb5.conf.d/enable_sssd_conf_dir /tmp $ /usr/lib/jvm/java-17-openjdk-amd64/bin/java -Djava.security.auth.login.config=jaas.conf JaasAcn.java Kerberos username [mbaudier]: Kerberos password for mbaudier: Authentication succeeded! -- System Information: Debian Release: 12.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 5.14.0-162.23.1.el9_1.x86_64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages freeipa-client depends on: ii bind9-dnsutils [dnsutils] 1:9.18.13-1 ii bind9-utils 1:9.18.13-1 ii certmonger 0.79.17-2 ii curl 7.88.1-9 ii dnsutils 1:9.18.13-1 ii freeipa-common 4.9.11-1 ii krb5-user 1.20.1-1+b1 ii libc6 2.36-9 ii libcom-err2 1.47.0-2 ii libcurl4 7.88.1-9 ii libini-config5 0.6.2-1 ii libjansson4 2.14-2 ii libk5crypto3 1.20.1-1+b1 ii libkrb5-3 1.20.1-1+b1 ii libldap-2.5-0 2.5.13+dfsg-5 ii libnss-sss 2.8.2-4 ii libnss3-tools 2:3.89-2 ii libpam-sss 2.8.2-4 ii libpopt0 1.19+dfsg-1 ii libsasl2-modules-gssapi-mit 2.1.28+dfsg-11 ii libssl3 3.0.8-1 ii libsss-sudo 2.8.2-4 ii oddjob-mkhomedir 0.34.7-1+b2 ii python3 3.11.2-1+b1 ii python3-dnspython 2.3.0-1 ii python3-gssapi 1.8.2-1+b1 ii python3-ipaclient 4.9.11-1 ii python3-ldap 3.4.3-2+b2 ii python3-sss 2.8.2-4 ii sssd 2.8.2-4 Versions of packages freeipa-client recommends: ii chrony 4.3-2 Versions of packages freeipa-client suggests: pn libpam-krb5 <none> -- no debconf information
--- End Message ---
--- Begin Message ---Source: freeipa Source-Version: 4.9.11-2 Done: Timo Aaltonen <tjaal...@debian.org> We believe that the bug you reported is fixed in the latest version of freeipa, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1034...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Timo Aaltonen <tjaal...@debian.org> (supplier of updated freeipa package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 27 Apr 2023 17:23:26 +0300 Source: freeipa Built-For-Profiles: noudeb Architecture: source Version: 4.9.11-2 Distribution: unstable Urgency: medium Maintainer: Debian FreeIPA Team <pkg-freeipa-de...@alioth-lists.debian.net> Changed-By: Timo Aaltonen <tjaal...@debian.org> Closes: 1034659 Changes: freeipa (4.9.11-2) unstable; urgency=medium . * client: Fix kerberos support for Java by dropping a duplicate includedir from ipa-client-setup we already get from sssd. (Closes: #1034659) Checksums-Sha1: b28d5f2d3b26ae81baa7fd30084bc2dc64cf9d23 3031 freeipa_4.9.11-2.dsc f7ae3f09a0210ccc6002e48691dfb3a6569cce99 282160 freeipa_4.9.11-2.debian.tar.xz faea5c10e0988fc5cab2403fd4cc5b3b073e15e3 8788 freeipa_4.9.11-2_source.buildinfo Checksums-Sha256: b5a5d54bd27caf4e4beacdce67aa18d4b40cf25c032382ecd0221da8983a896d 3031 freeipa_4.9.11-2.dsc 45ddc67128d0f90602818d4fa34f0102c89c0ead6c16a06de602ad105c9450f1 282160 freeipa_4.9.11-2.debian.tar.xz 5391d6c4e92f09cc9ae09c3114ca738550fbb6e00e4bb339223c383edfb6f3f4 8788 freeipa_4.9.11-2_source.buildinfo Files: 0d73795d099cf6e113a04066276137b7 3031 net optional freeipa_4.9.11-2.dsc c509b48a24e9cfbe4b3643e8bfdfe123 282160 net optional freeipa_4.9.11-2.debian.tar.xz 3b1fd4152fd7e750b67a7b0eb2207329 8788 net optional freeipa_4.9.11-2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmRKhnAACgkQy3AxZaiJ hNwctw/7BT0cE3K7FQ/2eOl2tUpFA73japtYZZazvzuxugirKjAMOR3J3Dw92CFA F5epTqtm9722HezOkJWzNVZ+1LrkbZNaSh/sv7AJ4KKGeYWGO5o2e8mQBJ8EfDVR 6luqQqENKhC1wSvs+2n/fU+wI5QVCqGGBjcJaZdXNpiNBAoNUxo26sUzTJDsoeOw BHQXf9fWO+XqcZy1OQCMj9tsTWGV+adFzaxrD7n9vcOqWLoGgGMlLHGW/WjPem7v lKiZSMhaSo2aQ9IYgFWzQ52NYhHBGhrTWuMY2jxbBWT92j83so29EUPOy1Fa8STs sB6PxILq6ZSQQ9ziIzjRndU6N0GGWXPbybJP7a3ZVeHEHHOnGZoQeimNnyWHdfFg u6PehcH6ko6iOTd47mvZAT6WHzrj/8FDhm2QKnuGdcvFaRMD/4Lq8PtBRhNKF+vC 18NRzxtZ/F15ee9pYpVu54TM8e9zaCHb/IgdFOA7mYxXZoNLEaqynkl2bMSA8yfc uZf2QJ508qXYNnQxyWmEwY93Coi3XFvQeZI90ZQxn+TxR3Bues6GeADzEWNvfT0W 2V1ZMMrsaIGLX8PSvdxhYuY6lfCOxkXSIITrh1dGl3JnukXxxYJDkoFdjHgfzHON AzzcSC0pZL9LrHrAIgur4+0/rZHMaPcb3+Tkum/op7rH1FIcY9A= =Rvc3 -----END PGP SIGNATURE-----
--- End Message ---
