https://bugzilla.redhat.com/show_bug.cgi?id=2094685 Bug ID: 2094685 Summary: Default of 'pac_check' is too strict Product: Fedora Version: 36 Status: NEW Component: sssd Assignee: sssd-maintainers(a)lists.fedoraproject.org Reporter: sbose(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: abokovoy(a)redhat.com, atikhono(a)redhat.com, jhrozek(a)redhat.com, lslebodn(a)redhat.com, luk.claes(a)gmail.com, mzidek(a)redhat.com, pbrezina(a)redhat.com, sbose(a)redhat.com, ssorce(a)redhat.com, sssd-maintainers(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Description of problem: Default of 'pac_check' is too strict, it currently requires that a PAC is present when using ipa or ad provider. While it would work with the AD provider in most cases for ipa there is a fair chance that the PAC will not be available. If authentication fails and there are messages like "[validate_tgt] ... PAC check failed for principal ..." you are most probably affected by this issue. As a work-around set pac_check = check_upn, check_upn_dns_info_ex in the [pac] section of sssd.conf. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2094685