Bug 1551077

Summary: GDM failure loop when no user mapped for smart card
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: atikhono, grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, sgoveas, thalman, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-1.16.5-10.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-29 19:49:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
user name hint failure screenshot
none
pin prompt failure screenshot none

Description Scott Poore 2018-03-02 17:08:41 UTC 
Description of problem:

When we have a smart card connected that contains certificates that are not mapped to a user, GDM login seems to fail with a repeated loop on either the PIN or User Hint Prompts:

"Sorry that didn't work.  Please try again."

This repeats in a loop.


Version-Release number of selected component (if applicable):
sssd-1.16.0-19.el7.x86_64


How reproducible:
Seems to be reproducible.

Steps to Reproduce:
1.  Setup IPA Env with Smart Card auth enabled.
2.  Add cert on card to user
3.  test
4.  remove certmapdata from user

Actual results:
failure loop


Expected results:
single failure and go back to normal login selection

Additional info:
Comment 3 Scott Poore 2018-03-02 17:11:28 UTC 
Created attachment 1403106 [details]
user name hint failure screenshot
Comment 4 Scott Poore 2018-03-02 17:11:59 UTC 
Created attachment 1403107 [details]
pin prompt failure screenshot
Comment 5 Scott Poore 2018-03-02 17:28:59 UTC 
FYI, I think I'm seeing the same thing when the certificate is revoked.

In my case, the cert on the card was from IPA and I put a revoke hold on the cert in IPA.  I saw the same loop when that was done.
Comment 6 Jakub Hrozek 2019-03-07 21:38:03 UTC 
I'm sorry, but we will not have the capacity to address this bug in 7.7, given that the work has not started and the devel freeze is in about three weeks. Therefore I'm moving the bug to 7.8.

Please push back if you think this bug is important to be fixed in 7.7.
Comment 9 Sumit Bose 2020-06-03 18:47:28 UTC 
Upstream ticket:
https://github.com/SSSD/sssd/issues/5190
Comment 12 Pavel Březina 2020-06-05 09:09:52 UTC 
* `master`
    * 3ed254765fc92e9cc9e4c35335818eaf1256e0d6 - pam_sss: special handling for gdm-smartcard
    * 26c794da31c215fef3e41429f6f13afdaf349bee - pam_sss: add SERVICE_IS_GDM_SMARTCARD
* `sssd-1-16`
    * 5b727ab156d4efc84e41b3306898102a8e572a05 - pam_sss: special handling for gdm-smartcard
    * 77e44c3a67f58b776a0f505bbdba9718f4e1d714 - pam_sss: add SERVICE_IS_GDM_SMARTCARD
Comment 13 Alexey Tikhonov 2020-06-05 16:35:17 UTC 
* `sssd-1-16`
 * e7c7092d81fe63a41ca40ec3e2057d0bd17819ed
 * 89e94440048d1660dc9520c161597dd71c2ecb0c
Comment 16 Scott Poore 2020-06-15 12:49:37 UTC 
Verified.

Version ::

sssd-1.16.5-10.el7.x86_64

Restuls ::

# First checking that authentication works.

[root@rhel7-4 gdm_failure_with_no_user_mapped]# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all-certs
Object 0:
	URL: pkcs11:model=PKCS%2315;manufacturer=Aventra%20Ltd.;serial=7055056447986431;token=sctest%20%28MyEID%29;id=%01;object=Certificate;type=cert
	Type: X.509 Certificate
	Label: Certificate
	ID: 01


[root@rhel7-4 gdm_failure_with_no_user_mapped]# p11tool --provider /usr/lib64/opensc-pkcs11.so --export 'pkcs11:model=PKCS%2315;manufacturer=Aventra%20Ltd.;serial=7055056447986431;token=sctest%20%28MyEID%29;id=%01;object=Certificate;type=cert' --outfile card.crt

[root@rhel7-4 gdm_failure_with_no_user_mapped]# ipa certmap-match card.crt
--------------
1 user matched
--------------
  Domain: EXAMPLE.COM
  User logins: ipauser1
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-4 gdm_failure_with_no_user_mapped]# su - ipauser1 -c 'su - ipauser1 -c whoami'
PIN for sctest (MyEID)
ipauser1

# Then clearing certificate from user so no user is mapped

[root@rhel7-4 gdm_failure_with_no_user_mapped]# ipa user-show ipauser1
  User login: ipauser1
  First name: ipauser1
  Last name: lastname
  Home directory: /home/ipauser1
  Login shell: /bin/sh
  Principal name: ipauser1
  Principal alias: ipauser1
  Email address: ipauser1
  UID: 603200101
  GID: 603200101
  Certificate: MIIEBjCCAu6gAwIBAgIBRDANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtFWEFNUExFLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIwMDYxNTEyMTUyMloXDTIyMDYxNjEyMTUyMlowKTEUMBIGA1UECgwLRVhBTVBMRS5DT00xETAPBgNVBAMMCGlwYXVzZXIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuiMJoo0cf6+Cwil7gJ+0r70fYlibWPuB+Enbs08mL+uQOQuJBYOA7jyaQVt6npBB6ji5IbUh/DxiZJzLh1qcYbbU/DhRKyfjgoPFJBjw996DGGLpripGI5vblaEC93RF74Cc7DxQR+YHaPs3nHI+pRKS1BNrBMtPCMcoQSQFwRJvyW7t+6KziHHdyo+/1IYfLARYBZMSLsz5i4BWIqUALEKBPW/FgDLzzk7U+h59ind97epyKcbR80G32d6lGV4r71tivmFAfJrHj55ispZIG2nxhhGRqRryEUx2VwBlPxUDBYTFYHVykeox/D/6UDB9LDZfzd+R9fN/AGy7chjdKQIDAQABo4IBKjCCASYwHwYDVR0jBBgwFoAUOBPXh2aDu9IC55j6ZBoadCNWnjkwPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vaXBhLWNhLmV4YW1wbGUuY29tL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB2BgNVHR8EbzBtMGugM6Axhi9odHRwOi8vaXBhLWNhLmV4YW1wbGUuY29tL2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUlk+gvZYVa3F1xHmqJiNnDvsT84gwDQYJKoZIhvcNAQELBQADggEBACva7aJx6chxeKqstYOa89VVzcevCCPRf/AKk3HpGzSN38eIpSiCU3MjVWB9M9hZIRR1+jozW8jaFyPhuIYGm8eqzrtMHSy1K+g9RWmaaGUJhV756A4eYwXYU6qpFT4fMEGiYo+F8BY685a3SQORRk5bNaPJaPp2HjYpBc6FY7UmhWP9Eu29KmMpgDb51k2OVN64nO7WFU3iffG+LgRhIESH8KmBjNvrIrxWKVH6Ammf20ct7fmFvoF+gOnyDxMfFWdqXzA/6SXEVuxMFnPCq2IhNtfOv/sqVPzMgCO26N1hgRqoUxaNiP2e8uLB3+G5bWhtCu+ONpP7UlAkzWBX4yc=
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@rhel7-4 gdm_failure_with_no_user_mapped]# ipa user-mod ipauser1 --certificate=''
------------------------
Modified user "ipauser1"
------------------------
  User login: ipauser1
  First name: ipauser1
  Last name: lastname
  Home directory: /home/ipauser1
  Login shell: /bin/sh
  Principal name: ipauser1
  Principal alias: ipauser1
  Email address: ipauser1
  UID: 603200101
  GID: 603200101
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@rhel7-4 gdm_failure_with_no_user_mapped]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel7-4 gdm_failure_with_no_user_mapped]# ipa certmap-match card.crt 
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------



[root@rhel7-4 gdm_failure_with_no_user_mapped]# systemctl restart gdm

# Remove smartcard from reader here
# Then checking with GDM

After GDM comes back up, I see PIN prompt.  When I enter pin it says "Sorry, that didn't work.  Please try again." and returns to the PIN prompt as expected.  There is no more failure loop.

This is expected behavior with the fix.
Comment 19 errata-xmlrpc 2020-09-29 19:49:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3904