pam_krb5 does not work in a default configuration. I can't tell precisely after what specific version change of pam_krb5 or mit-krb5 it happened but it's a relatively recent change. Expectation: With default configuration in /etc/pam.d/system-auth: auth [success=3 default=ignore] pam_krb5.so debug ignore_root try_first_pass account [success=2 default=ignore] pam_krb5.so debug ignore_root try_first_pass password [success=1 default=ignore] pam_krb5.so debug ignore_root try_first_pass session [success=1 default=ignore] pam_krb5.so debug ignore_root try_first_pass pam_krb5 stores a session credential. Reality: No credential found after login. Adding retain_after_close to session pam stack: session [success=1 default=ignore] pam_krb5.so debug ignore_root try_first_pass retain_after_close solves the problem, but this does not use to be required and requires user to manually destroy kerberos tickets, e.g. via .bash_logout. I added trace logging to all pam_krb5.so invocations. Here is how the successful (retain_after_close) run: [13926] 1647641540.519944: Response was from primary KDC [13926] 1647641540.519945: AS key determined by preauth: aes256-sha2/A751 [13926] 1647641540.519946: Decrypted AS reply; session key is: aes256-sha2/C66B [13926] 1647641540.519947: FAST negotiation: available [13926] 1647641540.519948: Initializing FILE:/tmp/krb5cc_pam_HSM3zw with default princ vklimovs@LAN [13926] 1647641540.519949: Storing vklimovs@LAN -> krbtgt/LAN@LAN in FILE:/tmp/krb5cc_pam_HSM3zw [13926] 1647641540.519952: Initializing FILE:/tmp/krb5cc_1000_Cf8IHO with default princ vklimovs@LAN [13926] 1647641540.519953: Storing vklimovs@LAN -> krbtgt/LAN@LAN in FILE:/tmp/krb5cc_1000_Cf8IHO [13926] 1647641540.519954: Destroying ccache FILE:/tmp/krb5cc_pam_HSM3zw so temp ticket got destroyed, but not the main one Unsuccessful: [13897] 1647641484.680695: Response was from primary KDC [13897] 1647641484.680696: AS key determined by preauth: aes256-sha2/5314 [13897] 1647641484.680697: Decrypted AS reply; session key is: aes256-sha2/A3B2 [13897] 1647641484.680698: FAST negotiation: available [13897] 1647641484.680699: Initializing FILE:/tmp/krb5cc_pam_mlyJeW with default princ vklimovs@LAN [13897] 1647641484.680700: Storing vklimovs@LAN -> krbtgt/LAN@LAN in FILE:/tmp/krb5cc_pam_mlyJeW [13897] 1647641484.680703: Initializing FILE:/tmp/krb5cc_1000_3ZZB9R with default princ vklimovs@LAN [13897] 1647641484.680704: Storing vklimovs@LAN -> krbtgt/LAN@LAN in FILE:/tmp/krb5cc_1000_3ZZB9R [13897] 1647641484.680705: Destroying ccache FILE:/tmp/krb5cc_pam_mlyJeW [13902] 1647641484.680707: Destroying ccache FILE:/tmp/krb5cc_1000_3ZZB9R User ticket is also destroyed, but it should have been kept for user to use. It seems that something now is calling pam session close and that makes pam_krb5 destroy a ticket? Reproducible: Always
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bae49e0d79a34dcd4f545f8b829427d6277d88ed commit bae49e0d79a34dcd4f545f8b829427d6277d88ed Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2022-03-19 08:23:13 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2022-03-19 08:23:38 +0000 sys-auth/pam_krb5: add 4.11 Closes: https://bugs.gentoo.org/835605 Signed-off-by: Eray Aslan <eras@gentoo.org> sys-auth/pam_krb5/Manifest | 1 + sys-auth/pam_krb5/pam_krb5-4.11.ebuild | 35 ++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+)
please check pam_krb5-4.11 and reopen if not resolved. https://github.com/rra/pam-krb5/issues/21 seems to be culprit thank you
