Bug 1507683

Summary: GDM password prompt when cert mapped to multiple users and promptusername is False
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: atikhono, grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, sgoveas, spoore, thalman, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-1.16.5-10.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 19:49:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sssd, messages, and secure log files none

Description Scott Poore 2017-10-30 22:20:46 UTC 
Description of problem:

Smart Card login to GDM on IPA client with certificate mapped to multiple users is behaving unexpectedly when promptusername is set to False.  When I insert the card and GDM at login screen, it blanks.  Then it goes to a "Password" prompt.  There is no indication of which user this is for.  

Version-Release number of selected component (if applicable):
gdm-3.22.3-12.el7.x86_64
sssd-1.15.2-50.el7_4.6.x86_64
ipa-client-4.5.0-21.el7_4.2.2.x86_64


How reproducible:
always on my local test VMs.

Steps to Reproduce:
1. Setup IPA server and client with smart card cert mapped to two users

2. set promptusername to false

ipa certmapconfig-mod --promptusername=False
 
3. Connect smart card reader to client and insert card

Actual results:

password prompt

Expected results:

error message or simply return to user list login screen.

Additional info:
Comment 2 Scott Poore 2017-10-30 22:22:13 UTC 
Created attachment 1345641 [details]
sssd, messages, and secure log files
Comment 3 Scott Poore 2017-10-30 22:23:13 UTC 
Also, FYI, from server:

[root@server ~]# ipa certmapconfig-show
  Prompt for the username: FALSE

[root@server ~]# ipa certmap-match /root/cardcert.crt
---------------
2 users matched
---------------
  Domain: EXAMPLE.TEST
  User logins: ipauser1, ipauser2
----------------------------
Number of entries returned 1
----------------------------
Comment 7 Jakub Hrozek 2019-03-07 21:37:09 UTC 
I'm sorry, but we will not have the capacity to address this bug in 7.7, given that the work has not started and the devel freeze is in about three weeks. Therefore I'm moving the bug to 7.8.

Please push back if you think this bug is important to be fixed in 7.7.
Comment 10 Sumit Bose 2020-06-03 18:46:52 UTC 
Upstream ticket:
https://github.com/SSSD/sssd/issues/5190
Comment 11 Pavel Březina 2020-06-05 09:09:46 UTC 
* `master`
    * 3ed254765fc92e9cc9e4c35335818eaf1256e0d6 - pam_sss: special handling for gdm-smartcard
    * 26c794da31c215fef3e41429f6f13afdaf349bee - pam_sss: add SERVICE_IS_GDM_SMARTCARD
* `sssd-1-16`
    * 5b727ab156d4efc84e41b3306898102a8e572a05 - pam_sss: special handling for gdm-smartcard
    * 77e44c3a67f58b776a0f505bbdba9718f4e1d714 - pam_sss: add SERVICE_IS_GDM_SMARTCARD
Comment 12 Alexey Tikhonov 2020-06-05 16:35:55 UTC 
Update for `sssd-1-16`:
 * e7c7092d81fe63a41ca40ec3e2057d0bd17819ed
 * 89e94440048d1660dc9520c161597dd71c2ecb0c
Comment 16 Scott Poore 2020-06-15 13:02:35 UTC 
Verified.

Version ::

sssd-1.16.5-10.el7.x86_64

Results ::

    First make sure certificate on card maps to two users:

[root@rhel7-4 bugs]# ipa certmap-match ipauser1.crt
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------

[root@rhel7-4 bugs]# ipa user-add-certmapdata ipauser1 --certificate=$(cat ipauser1.crt|sed '/CERT/d'|tr -d '\r\n')
---------------------------------------------
Added certificate mappings to user "ipauser1"
---------------------------------------------
User login: ipauser1
Certificate mapping data: X509:<I>O=EXAMPLE.COM,CN=Certificate Authority<S>O=EXAMPLE.COM,CN=ipauser1

[root@rhel7-4 bugs]# ipa user-add-certmapdata ipauser2 --certificate=$(cat ipauser1.crt|sed '/CERT/d'|tr -d '\r\n')
---------------------------------------------
Added certificate mappings to user "ipauser2"
---------------------------------------------
User login: ipauser2
Certificate mapping data: X509:<I>O=EXAMPLE.COM,CN=Certificate Authority<S>O=EXAMPLE.COM,CN=ipauser1

[root@rhel7-4 bugs]# ipa certmap-match ipauser1.crt
---------------
2 users matched
---------------
Domain: EXAMPLE.COM
User logins: ipauser1, ipauser2
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-4 bugs]# ipa certmapconfig-show
Prompt for the username: TRUE

[root@rhel7-4 bugs]# ipa certmapconfig-mod --promptusername=False
Prompt for the username: FALSE

 

    Here I removed the card from reader

[root@rhel7-4 bugs]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-4 bugs]# systemctl restart gdm

    Now insert card 

I see PIN prompt

enter PIN and it returns "Sorry, that didn't work.  Please try again." and returns to PIN prompt as expected.

 

This is expected behavior with this fix.
Comment 19 errata-xmlrpc 2020-09-29 19:49:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3904