Compatibility with FreeIPA

[VsevolodKamenskiy]

I deployed freeipa domain infrastructure and deployed a simple kerberized web service:

package main

import (
        "log"
        "net/http"
        "os"
        "github.com/jcmturner/gokrb5/v8/keytab"
        "github.com/jcmturner/gokrb5/v8/service"
        "github.com/jcmturner/gokrb5/v8/spnego"
)

func handler(w http.ResponseWriter, r *http.Request) {
        w.Write([]byte("Authenticated user: " + r.Header.Get("X-User")))
}

func main() {

        l := log.New(os.Stderr, "GOKRB5 : ", log.Ldate|log.Ltime|log.Lshortfile)

        // Load keytab
        kt, _ := keytab.Load("/var/lib/ipa/gssproxy/http.keytab")

        h := http.HandlerFunc(handler)

        http.Handle("/test", spnego.SPNEGOKRB5Authenticate(h, kt, service.Logger(l), service.KeytabPrincipal("HTTP/astra-15883.domain.local")))

         http.ListenAndServe(":8080", nil)
}

Then I configured browser to use SPNEGO auth, but domain user is still gets 401 unauthorized error:

SPNEGO validation error: defective token detected: PAC Info Buffers does not contain a KerbValidationInfo

Although user successfully obtains a service ticket from KDC (checked it via klist). Token also included in Authorization: Negotiate .... request header.
Maybe this library is compatible only with MS AD?

[MatthieuCoder]

I have the same issue which seems to be caused by this condition: https://github.com/jcmturner/gokrb5/blob/master/pac/pac_type.go#L228

[MatthieuCoder]

You might want to use this flag to disable PAC decoding:

gokrb5/service/APExchange.go

Line 39 in 855dbc7

if !s.disablePACDecoding {