https://bugzilla.redhat.com/show_bug.cgi?id=2094685
Bug ID: 2094685
Summary: Default of 'pac_check' is too strict
Product: Fedora
Version: 36
Status: NEW
Component: sssd
Assignee: sssd-maintainers(a)lists.fedoraproject.org
Reporter: sbose(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: abokovoy(a)redhat.com, atikhono(a)redhat.com,
jhrozek(a)redhat.com, lslebodn(a)redhat.com,
luk.claes(a)gmail.com, mzidek(a)redhat.com,
pbrezina(a)redhat.com, sbose(a)redhat.com,
ssorce(a)redhat.com,
sssd-maintainers(a)lists.fedoraproject.org
Target Milestone: ---
Classification: Fedora
Description of problem:
Default of 'pac_check' is too strict, it currently requires that a PAC is
present when using ipa or ad provider. While it would work with the AD provider
in most cases for ipa there is a fair chance that the PAC will not be
available.
If authentication fails and there are messages like "[validate_tgt] ... PAC
check failed for principal ..." you are most probably affected by this issue.
As a work-around set
pac_check = check_upn, check_upn_dns_info_ex
in the [pac] section of sssd.conf.
--
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2094685