Package: freeipa-client Version: 4.12.4-1 Severity: normal Dear Maintainer,
I have setup an IPA account using 2FA. SSH login works properly with ssh key, but not with password: krb5kdc returns 'NEEDED_PREAUTH'. 'sudo su' generates an error in krb5_child: Resource temporarily unavailable usert@server:~$ KRB5_TRACE=/dev/stderr kinit [email protected] [1333] 1758891640.523997: Matching [email protected] in collection with result: -1765328243/Can't find client principal [email protected] in cache collection [1333] 1758891640.523998: Getting initial credentials for [email protected] [1333] 1758891640.524000: Sending unauthenticated request [1333] 1758891640.524001: Sending request (197 bytes) to AIRNAVIGATION.AERO [1333] 1758891640.524002: Initiating TCP connection to stream XXX.XXX.XXX.XXX:88 [1333] 1758891640.524003: Sending TCP request to stream XXX.XXX.XXX.XXX:88 [1333] 1758891640.524004: Received answer (258 bytes) from stream XXX.XXX.XXX.XXX:88 [1333] 1758891640.524005: Terminating TCP connection to stream XXX.XXX.XXX.XXX:88 [1333] 1758891640.524006: Response was from primary KDC [1333] 1758891640.524007: Received error from KDC: -1765328359/Additional pre-authentication required [1333] 1758891640.524010: Preauthenticating using KDC method data [1333] 1758891640.524011: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [1333] 1758891640.524012: Received cookie: MIT [1333] 1758891640.524013: PKINIT client has no configured identity; giving up [1333] 1758891640.524014: Preauth module pkinit (147) (info) returned: 0/Success [1333] 1758891640.524015: PKINIT client received freshness token from KDC [1333] 1758891640.524016: Preauth module pkinit (150) (info) returned: 0/Success [1333] 1758891640.524017: PKINIT client has no configured identity; giving up [1333] 1758891640.524018: Preauth module pkinit (16) (real) returned: 22/Invalid argument kinit: Pre-authentication failed: Invalid argument while getting initial credentials Another account without 2FA presents something like [...] [1338] 1758891659.272110: Preauthenticating using KDC method data [1338] 1758891659.272111: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [1338] 1758891659.272112: Selected etype info: etype aes256-cts, salt "d6LxUr,b[aoD.7]B", params "" [1338] 1758891659.272113: Received cookie: MIT1\x00\x00\x00\x01\x1d\xcah\x[...] [1338] 1758891659.272114: PKINIT client has no configured identity; giving up [1338] 1758891659.272115: Preauth module pkinit (147) (info) returned: 0/Success [1338] 1758891659.272116: PKINIT client received freshness token from KDC [1338] 1758891659.272117: Preauth module pkinit (150) (info) returned: 0/Success [1338] 1758891659.272118: PKINIT client has no configured identity; giving up [1338] 1758891659.272119: Preauth module pkinit (16) (real) returned: 22/Invalid argument [1338] 1758891659.272120: SPAKE challenge received with group 1, pubkey CB842AA93711EBF282A6537622542450D24085A1240... Password for [email protected]: [1338] 1758891668.641440: SPAKE key generated with pubkey 772617E157E10334303199B97BF8DD5418... [1338] 1758891668.641441: SPAKE algorithm result: C6ACFD8C40D1B443A529BB7F8A5B6FB09D33393F41E4FACBED... [1338] 1758891668.641442: SPAKE final transcript hash: 07B784AB0423F00F0C62409302D10434861A16BBB88703... [...] and kinit succeeds properly. While trying to resolve the issue, I installed krb5-pkinit, but that did not solve the issue. According to https://lists.fedorahosted.org/archives/list/[email protected]/thread/REV7YNUW2RIIRBDNVYBU4PNTSY6ZM2MO/, the order of the entries in /etc/pam.d/common-auth matter for this to work properly. Raised in https://bugs.debian.org/1001644 All this works perfectly fine in debian 12. -- System Information: Debian Release: 13.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.12.48+deb13-cloud-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages freeipa-client depends on: ii bind9-dnsutils 1:9.20.11-4 ii bind9-utils 1:9.20.11-4 ii certmonger 0.79.20-2 ii curl 8.14.1-2 ii freeipa-common 4.12.4-1 ii krb5-user 1.21.3-5 ii libc6 2.41-12 ii libcom-err2 1.47.2-3+b3 ii libcurl4t64 8.14.1-2 ii libini-config5t64 0.6.2-3 ii libjansson4 2.14-2+b3 ii libk5crypto3 1.21.3-5 ii libkrb5-3 1.21.3-5 ii libldap2 2.6.10+dfsg-1 ii libnss-sss 2.10.1-2+b1 ii libnss3-tools 2:3.110-1 ii libpam-sss 2.10.1-2+b1 ii libpopt0 1.19+dfsg-2 ii libsasl2-modules-gssapi-mit 2.1.28+dfsg1-9 ii libssl3t64 3.5.1-1 ii libsss-sudo 2.10.1-2+b1 ii oddjob-mkhomedir 0.34.7-2.1 ii python3 3.13.5-1 ii python3-dnspython 2.7.0-1 ii python3-gssapi 1.9.0-1+b2 ii python3-ipaclient 4.12.4-1 ii python3-ldap 3.4.4-1+b5 ii python3-sss 2.10.1-2+b1 ii sssd 2.10.1-2+b1 Versions of packages freeipa-client recommends: ii chrony 4.6.1-3 pn sssd-passkey <none> Versions of packages freeipa-client suggests: pn libnss-myhostname <none> pn libpam-krb5 <none> -- no debconf information
