• Server settings from /etc/krb5.conf used despite KRB5_CONFIG set

    From Andrej Mikus@21:1/5 to All on Mon May 9 21:03:46 2022
    Hi,

    I would like to request comment/suggestion for a problem that resembles https://stackoverflow.com/questions/33132768/kerberos-still-using-default-etc-krb5-conf-file-even-after-setting-krb5-config

    As a linux user, I am trying to access IIS website protected by
    Kerberos. Linux is managed by different team than AD, both are using
    their own Kerberos servers, and for some reason they use equal
    domain/realm name.

    I am pointing KRB5_CONFIG to a file with correct KDC address/name, but
    kinit always refers to the IP specified in /etc/krb5.conf.

    It is my understanding that setting environment variable overrides any
    use of files in /etc, also the test scripts in the code distribution
    suggest this.

    The environment variable and authentication works well when using
    a system that refers to in a different Linux domain in /etc/krb5.conf so
    for now I can access the AD from there. Still would like to understand
    what is going on on the other Linux system.

    krb5-libs.x86_64 krb5-workstation.x86_64 1.18.2-14.el8 from RHEL8

    Regards
    Andrej

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Devitofranceschi@21:1/5 to Andrej Mikus on Sat May 14 08:47:32 2022
    Copy: kerberos@mit.edu

    On May 9, 2022, at 3:03 PM, Andrej Mikus <a-krb5user@mikus.sk> wrote:
    I am pointing KRB5_CONFIG to a file with correct KDC address/name, but
    kinit always refers to the IP specified in /etc/krb5.conf.

    It is my understanding that setting environment variable overrides any
    use of files in /etc, also the test scripts in the code distribution
    suggest this.

    Is there an sssd_krb5_locator_plugin getting in the way?

    Check under /usr/lib/krb5/plugins/libkrb5.

    jd
    MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCDP4w ggY9MIIEJaADAgECAgMU4igwDQYJKoZIhvcNAQENBQAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwG A1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0 aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcNMjEwNDE5MTIxODMw WhcNMzEwNDE3MTIxODMwWjBUMRQwEgYDVQQKEwtDQWNlcnQgSW5jLjEeMBwGA1UECxMVaHR0cDov L3d3dy5DQWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xhc3MgMyBSb290MIICIjANBgkqhkiG 9w0BAQEFAAOCAg8AMIICCgKCAgEAq0k1EUh80iZ+U5TPQ6ndKNdCKovzh3gZWHwPntqJfeH763KQ DXShlmSrn6AkmXPa4lV2xxd79QSsRrjDvn9kjRBsJPNhnMDykPpR5vVpAWPDD1biSkLP4kSMJSio xXkJfUa5ivPp8zQpCEXkHJ/LlAQcgagUs5hlxEPsToKNCdG9qluNktDs3pDFfwrC4+vmMVpedD6X M1nowwM9YDO/99FvR8TN7mKDUm4uCJqk2RUYkaaFkkewrkjrbbch7IUaaHI1q//wEF3A9JSnatU7 kn5MkAV+k8Esi6SOYnQVcW4LcQPqrxU4mtTSBXJvjPkr61pyJfk5RuNyGz4Ew2QnIhAqik9YpwOt vrQuE+1dqkjX1X3UKntc+kYEUOTMDkJbjO3b8s/8lpPg2xE2VGI0OI8MYJs7l1Y4rfPSW4ugW+pO lrh819WghnBA05Ept6I8rfWMu88akorkNHvA2Gxf6QrCw6cgmlrfLF1SXLpH1ZvvJChwOCAv1X8p wLJBA2iSzOCczJdLRe86EAqrcDqYlXCtNbHqhSukHIAhMamuYHqAJkgAuAHAk2NVIpE8Vuev2zol 848xVOomi4FZ+aHRUxHFe50D9nQR4G2xLD8shpGZcZqmd4s0YNEUtCysna+MENOfxGr4bxP8c1n3 ZkJ0Horj+NzSb5icy0eYlUAF++kCAwEAAaOB8jCB7zAPBgNVHRMBAf8EBTADAQH/MGEGCCsGAQUF BwEBBFUwUzAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuQ0FjZXJ0Lm9yZy8wLAYIKwYBBQUHMAKG IGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jbGFzczMuY3J0MEUGA1UdIAQ+MDwwOgYLKwYBBAGBkEoC AwEwKzApBggrBgEFBQcCARYdaHR0cDovL3d3dy5DQWNlcnQub3JnL2Nwcy5waHAwMgYDVR0fBCsw KTAnoCWgI4YhaHR0cHM6Ly93d3cuY2FjZXJ0Lm9yZy9jbGFzczMuY3JsMA0GCSqGSIb3DQEBDQUA A4ICAQDGHq13XLQom9HIjUQSwL12dgSDIQf4EYJ/a8GVQsA4EbUlcI2LDMHVbP0cGgN8i/gGMaWd 3kEp1IubhNc9wTeGcaMfW2EpHl13fbvwrbkVGRMU5jWA/6YZtDeFlEHoiMNf4LIGpLv4QKkdOazt 6j+YBE35jPlHeXNS9ezfNJf7Pnfg3NGDiLqIc0dapqQVxA1wDQ+eSxMHfu8YPvmlAap5KbHnUvpT Osimf7bviaGxoU0vzmOFf6Uq6TvUwaPPChOFu5nXnGaQhOdm1FCzoeEtIiolaMMgsivEupgd6Erv XFjCtE2EVvdOuxZoQmySuG94zQ6z+++gs2SH8veIRDn8ueYswJgk1EAsXsjuCx24Ak0muAoYxi8e S3Vujy4hc7zCA1XuqhTgmhoHUwvfRBSoZwWvRMjToUV2ArZ/DLmG6U/GbrC7FbS/6IC1djH+ZGTB ClhtxVC2sgO/HUJPWTnRxDGL6MgqORwVYfDeQGgOcKizT+6R6A9PtpCeTYBsvhzucKS4BwQrDUEC VIROR+qLlu12WGHnwyF7Bm/UtwvnNDKDzDWm5yVPfBdC/LxXA8afQn+YYPiAstn2sZwcNQQKiTEW haT67kwJxWqYZuzIbirmy5LcI2yWwdRF8zxtArigu8dHwsIcQExFx0UGfztxK84rp4HWR0YosDzK ZfFmnzCCBrkwggShoAMCAQICAwL2JjANBgkqhkiG9w0BAQ0FADBUMRQwEgYDVQQKEwtDQWNlcnQg SW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xh c3MgMyBSb290MB4XDTIyMDEwODIwMDE1NloXDTI0MDEwODIwMDE1NlowggETMR4wHAYDVQQDExVK b2huIERldml0b2ZyYW5jZXNjaGkxHzAdBgkqhkiG9w0BCQEWEGpkdmZAaG90bWFpbC5jb20xHzAd BgkqhkiG9w0BCQEWEGZvb25vbkBnbWFpbC5jb20xIDAeBgkqhkiG9w0BCQEWEWZvb25vbkBpY2xv dWQuY29tMTAwLgYJKoZIhvcNAQkBFiFqb2huLmRldml0b2ZyYW5jZXNjaGlAb3V0bG9vay5jb20x LjAsBgkqhkiG9w0BCQEWH2pvaG4uZGV2aXRvZnJhbmNlc2NoaUBnbWFpbC5jb20xKzApBgkqhkiG 9w0BCQEWHGpkZXZpdG9mcmFuY2VzY2hpQGljbG91ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDOk3Sg39mhtwfIftLEopm/JJivrvgknFl5XEuMAIvxBDHP7+skVmFrkv1W1+Y8 uoHDdhgkt4/nQ70dqcfcMv1UjzCQtEz39JoVWOAwsLkfFLJ46J95wCmwc3oHV+yRJwkxKMn0y9tW qbkxetoSZcQD+eGNw2S5KD2oEl2YdoQruCqZTFNc0SYQs/ZQ3f+5uvTfUa7DJLy/eN5v4J5POyCE 9AVOlflmXroWpm2UINDg3f3g6IXrmhqSFMa42lFJ+5hpXhBWd6RI7B3tkjSA9SpA+zPN4cb1omPI iUqSM7L0hb+29TRgC0Tv0h7tRmhXwA/tDUVK1Pt9wgS+19N/DbqZAgMBAAGjggHRMIIBzTAMBgNV HRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9y IEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gw QAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglg hkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQu b3JnMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9jbGFzczMtcmV2b2tl LmNybDCBpAYDVR0RBIGcMIGZgRBqZHZmQGhvdG1haWwuY29tgRBmb29ub25AZ21haWwuY29tgRFm b29ub25AaWNsb3VkLmNvbYEham9obi5kZXZpdG9mcmFuY2VzY2hpQG91dGxvb2suY29tgR9qb2hu LmRldml0b2ZyYW5jZXNjaGlAZ21haWwuY29tgRxqZGV2aXRvZnJhbmNlc2NoaUBpY2xvdWQuY29t MA0GCSqGSIb3DQEBDQUAA4ICAQAzfrXKib/LhD8CUaKtIlasYRahBOD2K1iQncXLPB3SloIADwLN E/wAUGjGFgn4UdocYZ2UOdYils/POjZAasoIu6xcFKW9trMg4BvkZuZ46mOR2/ahic6Hl9oMlEZX YU44aFjvM0s1Ftp9RSS17IVuNnO31Kjy0npXFJbV8dMKsj/Y/IzST/OfksMi8HMol+sz1oo+9aOs FHm5eBu8AlVrrs97pV8JajPnKdp6VM3yyH3Zaw6H2UbEVJ3ti0Vn9MmqFafeOfBFLym6FHy3yb4Z g8+PRTY2K4LwaOSly5rciQLtRDdNa8fpLg6MwwjH9aoa21IMCWn6MCHX2+gub8M/xhTigKv2AVPd MoNO0jpEvuvTFz5DcMjzMJmQ1f71XKDbQaRTiACmW/5pJxLj6XSSfhOJNgPNxWBS6qSBWwZ7TXqH Sr21EILlMBt9OhapEUjC+I0iPMVsKYhLvrvyVK6ci//WLJJuT+cCp6Tdas38unWVRYwoIdM+5oY3 fpj0af7eHOygb89V+nBKFxVTyJtjwdstNVI6Gjs5aXvHgardTPPt7VTZ6LpHxtUADAvK4tF78C6D w1aR5jsE9Gq1IL3w8MhYPz0BqbayJ9xKy1ZiqYGdZvdzs20mJCb5X6UJV8uXa/aEIpSxnocXPJeX weSB43qOGOIHSfX4jd1zDa7mszGCAs0wggLJAgEBMFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4x HjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMg Um9vdAIDAvYmMA0GCWCGSAFlAwQCAQUAoIIBQzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG CSqGSIb3DQEJBTEPFw0yMjA1MTQxMjQ3MzJaMC8GCSqGSIb3DQEJBDEiBCBwfUmE1/TGYB/xGJyJ DcYFaxmTFGOu/t+npt0BprL9PTBqBgkrBgEEAYI3EAQxXTBbMFQxFDASBgNVBAoTC0NBY2VydCBJ bmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFz cyAzIFJvb3QCAwL2JjBsBgsqhkiG9w0BCRACCzFdoFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4x HjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMg Um9vdAIDAvYmMA0GCSqGSIb3DQEBCwUABIIBAHNv65aQCkiCVHDKcfWr6SKzpYRMktX8Mc+zoHCH 6FYz9RlRkBgL034aAWqFGhPveD70i2QgdcPvTz22HIP32ZuHVR2NqrYb9nXew/hgVAHGbDfahb3r 04PSNQEGZ9hqPd84qpMKVNU8u9o5sZRJLvh8QsBgn5zXx4srTCbE8NWRVy0+elLlHm6tzVD1Lj2g SCcDmCBY2Sc3ba5fNRZbr3OItz8OorUgzfcGOmpNsrRGTdWG0WKxoXhxoM6Pa1SCc9Wlal/ENi3Q v7se1AJzOzeaGeq+OztHJkTDT6YNgmzU8Aey6H7mVMbH2wF7EvKYWoVV5OlwEOFiEgkujvUzpXQA AAAAAAA=

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrej Mikus@21:1/5 to John Devitofranceschi on Mon May 16 08:05:11 2022
    Copy: kerberos@mit.edu

    On Sat, 14.May.22 08:47:32 -0400, John Devitofranceschi wrote:


    On May 9, 2022, at 3:03 PM, Andrej Mikus <a-krb5user@mikus.sk> wrote:
    I am pointing KRB5_CONFIG to a file with correct KDC address/name, but kinit always refers to the IP specified in /etc/krb5.conf.

    It is my understanding that setting environment variable overrides any
    use of files in /etc, also the test scripts in the code distribution suggest this.

    Is there an sssd_krb5_locator_plugin getting in the way?

    Check under /usr/lib/krb5/plugins/libkrb5.

    That was it. In a different place and with different filename /usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so but setting SSSD_KRB5_LOCATOR_DISABLE works!

    Thanks a lot for the hint.

    Andrej

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)