[Bug 2098484] Re: Pkinit fails with invalid argument

Manuel Hiller 2098484 at bugs.launchpad.net
Thu Feb 27 14:41:49 UTC 2025 

Hi Lukas,
sorry for the late response.
The problem according the minimal step-by-step instructions is, that the Citrix Linux VDA agent is not public available.
For the Ubuntu steps, please see the list below:

1. Create VM and deploy Ubuntu with cloud init and 24.04.2 iso image
2. Implement certificates (from own pki)
3. Join AD domain with adcli and configure with sssd and krb5
Dependencies:
  - 'acl'
  - 'krb5-user'
  - 'libpam-mklocaluser'
  - 'libpam-mount'
  - 'libpam-modules'
  - 'libpam-modules-bin'
  - 'libpam-python'
  - 'libpam-runtime'
  - 'libpam-ssh'
  - 'libpam-krb5'
  - 'libpam-systemd'
  - 'libpam-winbind'
  - 'libpam0g'
  - 'krb5-pkinit'
  - 'pamtester'
  - 'realmd'
  - 'samba'
  - 'sssd'
  - 'sssd-dbus'
  - 'sssd-tools'
  - 'unzip'
4. Install Ubuntu desktop packages
Packages:
  - ubuntu-desktop-minimal
  - vim
  - ubuntustudio-wallpapers-focal
  - okular
  - gnome-software
  - open-vm-tools
  - yaru-theme-gtk
5. Installation of Citrix VDA client 24.11.0.70-1.ubuntu24.04
Dependencies:
  - openjdk-11-jdk
  - postgresql
  - libpostgresql-jdbc-java
  - libxm4
  - libsasl2-2
  - libsasl2-modules-gssapi-mit
  - libldap2
  - krb5-user
  - libgtk2.0-0
  - apt-transport-https
  - dotnet-sdk-8.0
  - gnome-session

After that process the login via the Citrix federated-authentication-
service works on Ubuntu 22.04 but on Ubuntu 24.04 the error listed above
occurs.

Because of the functional setup with the same Citrix VDA version on Ubuntu 22.04 my supposition is, that the problem lies in the Ubuntu 24.04 packages.
Hope these information help you understanding the problem.

Thank you!

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/2098484

Title:
  Pkinit fails with invalid argument

Status in krb5 package in Ubuntu:
  Incomplete

Bug description:
  Hello,

  I am trying to setup a new Linux Citrix VDI on Ubuntu 24.04 with FAS
  (https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-
  release/configure/authentication/federated-authentication-service).
  For this the packages krb5-pkinit and libpam-krb5 are required.
  Unfortunately the login process fails with the following error
  message:

  Preauth module pkinit (16) (real) returned: 22/Invalid argument

  
  For the authentication process the following pam module from Citrix is used:

  #Linux VDA Federated Authentication#
  #%PAM-1.0
  #pam auth
  auth        sufficient    pam_krb5.so try_pkinit preauth_opt=X509_user_identity=PKCS11:/usr/lib/x86_64-linux-gnu/libctxpkcs11.so
  @include    common-auth
  #pam account
  account     sufficient    pam_krb5.so
  @include    common-account
  #pam password
  password    sufficient    pam_krb5.so
  @include    common-password
  #pam session
  session     optional      pam_krb5.so
  @include    common-session

  package versions:

  krb5-pkinit:amd64 1.20.1-6ubuntu2.4
  libpam-krb5:amd64 4.11-1build3

  Is it possible, that on of the arguments inside the pam module is not correct? 
  The same process (the servers are setup via Ansible) is working on a 22.04 machine, logically with other package versions.

  
  --------------

  1) lsb_release -rd:
  No LSB modules are available.
  Description:	Ubuntu 24.04.2 LTS
  Release:	24.04

  2) apt-cache policy krb5-pkinit
  krb5-pkinit:
    Installed: 1.20.1-6ubuntu2.4
    Candidate: 1.20.1-6ubuntu2.4

  Thank you!

  Regards,
  Manuel

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/2098484/+subscriptions

More information about the foundations-bugs mailing list