Closed aletheia7 closed 4 months ago
aletheia7
commented
4 months ago Solved.
I upgraded MIT Kerberos to 1.20. A new kdc.conf configuration variable of disable_pac = false was added. See man kdc.conf. I changed kdc.conf for my realm to disable_pac = true and spnego.SPNEGOKRB5Authenticate() authentication succeeds.
bmahler
commented
2 months ago @jcmturner Seeing the same issue after upgrading our KDC to 1.20+, I don't think this issue should be closed since disable_pac = true is merely a workaround. It seems other clients are working ok despite the new PAC feature, so this seems to be a bug in gokrb5?
Summary
I made a web server (go) that uses spnego.SPNEGOKRB5Authenticate() to an MIT Kerberos server from git https clients. It ran fine for a year or so. It stopped working with the following error:
github.com/jcmturner/gokrb5/v8@v8.4.4/spnego/http.go:387: 172.16.17.1:39504 - SPNEGO validation error: defective token detected: PAC Info Buffers does not contain a KerbValidationInfoWhy am I getting this error? I am not using Microsoft Active Directory. It could be that the MIT Kerberos Server was upgraded and has new defaults. Any ideas? Maybe I cannot use spnego with a plain MIT Kerberos server now? Is there a different gokrb5 function?
My ssh configuration using kerberos works fine. kinit works fine.
Versions
All of the below versions are the latest.
gokrb5: v8.4.4 git: 2.43.0 uses libcurl4-gnutls libcurl4-gnutls: 8.7.1 MIT Kerberos Key Server (KDC): 1.20 go: 1.22.3 OS: Debian Linux Testing trixie/sid
Thank you.