Bug 1672780

Summary: gdm login not prompting for username when smart card maps to multiple users
Product: Red Hat Enterprise Linux 8 Reporter: Scott Poore <spoore>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Steeve Goveas <sgoveas>
Severity: high Docs Contact:
Priority: urgent    
Version: 8.0CC: grajaiya, jhrozek, jwboyer, lslebodn, mzidek, pbrezina, sbose, tscherf
Target Milestone: rcKeywords: TestBlocker
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-2.0.0-43.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-14 01:55:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sssd logs
none
verification gdm login smart card pin prompt
none
verification gdm login smart card username hint prompt none

Description Scott Poore 2019-02-05 21:54:55 UTC 
Description of problem:

On an IPA Client with a Smart Card certificate mapping properly to two Active Dictory users, I expected GDM Login prompt to ask for Smart Card pin then the username hint.  It did not.  It just prompts for password.

Other Smart Card authentication on the client works as expected:

[root@rhel8-2 ~]# su - ipacertmultiuser1 -c "su - ipacertmultiuser1 -c whoami"
PIN for ipauser1-01 (MyEID)
ipacertmultiuser1

[root@rhel8-2 ~]# su - ipacertmultiuser2 -c "su - ipacertmultiuser2 -c whoami"
PIN for ipauser1-01 (MyEID)
ipacertmultiuser2

Version-Release number of selected component (if applicable):
# rpm -q sssd gdm authselect ipa-client
sssd-2.0.0-38.el8.x86_64
gdm-3.28.3-17.el8.x86_64
authselect-1.0-11.el8.x86_64
ipa-client-4.7.1-10.module+el8+2699+aa606a46.x86_64


How reproducible:
Unknown

Steps to Reproduce:
1. Setup IPA Server and Client to enable Smart Card authentication
2. Setup Trust with AD and add mapping for cert from card to two AD users 
3. Insert card in reader

Actual results:
Prompted for password

Expected results:
expect GDM Login screen to prompt for PIN of card and then the username hint.

Additional info:


In sssd_pam.log I see:

(Tue Feb  5 15:39:21 2019) [sssd[pam]] [pam_forwarder_lookup_by_cert_done] (0x4000): Found [1] certificates and [2] related users.
(Tue Feb  5 15:39:21 2019) [sssd[pam]] [pam_forwarder_lookup_by_cert_done] (0x0020): More than one user mapped to certificate.
...
(Tue Feb  5 15:39:21 2019) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [8]: Insufficient credentials to access authentication data.

Note that if I remove mapping for one of the users, I can login with PIN prompt.  There is not username hint prompt in that case (as expected).
Comment 1 Scott Poore 2019-02-05 21:56:23 UTC 
Created attachment 1527302 [details]
sssd logs
Comment 2 Scott Poore 2019-02-05 21:56:53 UTC 
From Journal with gnome custom debug enabled, I see:

Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmManager: trying to open new session
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmDBusServer: new connection 0x5641f9dc4e80
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: Handling new connection from outside
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmManager: client connected
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmDisplay: Got timed login details for display: 0
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: starting conversation gdm-smartcard
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSessionWorkerJob: Starting worker...
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSessionWorkerJob: Running session_worker_job process: gdm-session-worker [pam/gdm-smartcard] /usr/libexec/gdm-session-worker
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSessionWorkerJob: : SessionWorkerJob on pid 2512
Feb 05 15:39:17 rhel8-2.example.com gdm-smartcard][2512]: Enabling debugging
Feb 05 15:39:17 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: connecting to address: unix:abstract=/tmp/dbus-Cykt5jlv
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmDBusServer: new connection 0x5641f9dc4b80
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: Handling new connection from worker
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: Authenticating new connection
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: worker connection is 0x5641f9dc4b80
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: Emitting conversation-started signal
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmManager: session conversation started for service gdm-smartcard
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: Beginning initialization
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: getting session command for file 'gnome.desktop'
Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: Conversation started
Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: AccountsService: ActUserManager: system OS is 'rhel'
Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: AccountsService: ActUserManager: system OS version is '8.0'
Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: AccountsService: Failed to identify the current session: No data available
Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: AccountsService: ActUserManager: seat unloaded, so trying to set loaded property
Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: AccountsService: ActUserManager: Seat wouldn't load, so giving up on it and setting loaded property
Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: AccountsService: ActUserManager: already loaded, so not setting loaded property
Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: attempting to change state to SETUP_COMPLETE
Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: initializing PAM; service=gdm-smartcard username=(null) seat=seat0
Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: Set PAM environment variable: 'XDG_SEAT=seat0'
Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: state SETUP_COMPLETE
Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: attempting to change state to AUTHENTICATED
Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: authenticating user (null)
Feb 05 15:39:21 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: 1 new messages received from PAM
Feb 05 15:39:21 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: username is '<unset>'
Feb 05 15:39:21 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: old-username='<unset>' new-username='<unset>'
Feb 05 15:39:21 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: received pam message of type 1 with payload 'Password: '
Comment 3 Scott Poore 2019-02-07 00:45:01 UTC 
FYI, I was able to confirm the same happens with just IPA users so not AD trust needed to reproduce
Comment 4 Sumit Bose 2019-02-07 07:28:43 UTC 
Hi Scott,

did you enable user name hints with 'ipa certmapconfig-mod --promptusername=True' ?

HTH

bye,
Sumit
Comment 5 Scott Poore 2019-02-07 13:18:13 UTC 
It was already enabled:

[root@rhel8-2 ~]# ipa certmapconfig-show
  Prompt for the username: TRUE


I did even try disabling and re-enabling it:

[root@rhel8-2 ~]# history|grep certmapconfig-mod
  945  ipa certmapconfig-mod --promptusername=False
  968  ipa certmapconfig-mod --promptusername=True
 1016  history|grep certmapconfig-mod
[root@rhel8-2 ~]# 


Is this maybe a GDM bug?
Comment 6 Sumit Bose 2019-02-07 13:52:07 UTC 
(In reply to Scott Poore from comment #5)
> It was already enabled:
> 
> [root@rhel8-2 ~]# ipa certmapconfig-show
>   Prompt for the username: TRUE
> 
> 
> I did even try disabling and re-enabling it:
> 
> [root@rhel8-2 ~]# history|grep certmapconfig-mod
>   945  ipa certmapconfig-mod --promptusername=False
>   968  ipa certmapconfig-mod --promptusername=True
>  1016  history|grep certmapconfig-mod
> [root@rhel8-2 ~]# 
> 
> 
> Is this maybe a GDM bug?

No, according to the SSSD logs SSSD thinks the flag is not set. Do you have a reproducer system where I can log in and check?

bye,
Sumit
Comment 7 Sumit Bose 2019-02-07 14:50:04 UTC 
Hi,

SSSD does not handle the flag well if multiple domains are configured which is default on RHEL8 because of the implicit_files domain. Adding 'enable_files_domain = false' to the [sssd] section can be used as a workaround. There was a similar issue with certificate maps and I though I've fixed this as well but it looks I was wrong.

bye,
Sumit
Comment 8 Sumit Bose 2019-02-07 16:30:11 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3949
Comment 9 Scott Poore 2019-02-07 16:43:26 UTC 
Asking for exception+ or blocker+ (?) for this bug because it breaks multiple tests covering Smart Card Authentication.

Justification for exception is that it prevents users from using a Smart Card when the certificate on the card is mapped to multiple accounts.  One example of this is the case where a user has a Smart Card to login to both IPA and AD accounts.  Another example is multiple accounts in the same domain for different roles.  Although there is a workaround, it's not ideal for all cases because it disables the implicit files domain.
Comment 14 Jakub Hrozek 2019-02-10 20:22:10 UTC 
* master: 3eb99a171f59454fc2ec130b3e5052b3de5569a2
Comment 19 Scott Poore 2019-02-11 16:54:57 UTC 
Verified.

Version::

sssd-2.0.0-43.el8.x86_64


Results ::

[root@rhel8-2 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all-certs
Object 0:
	URL: pkcs11:model=PKCS%2315;manufacturer=Aventra%20Ltd.;serial=7055056447986431;token=ipauser1-01%20%28MyEID%29;id=%01;object=cert.01;type=cert
	Type: X.509 Certificate (RSA-2048)
	Expires: Fri Feb  5 14:53:40 2021
	Label: cert.01
	ID: 01


[root@rhel8-2 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --export 'pkcs11:model=PKCS%2315;manufacturer=Aventra%20Ltd.;serial=7055056447986431;token=ipauser1-01%20%28MyEID%29;id=%01;object=cert.01;type=cert' --outfile /tmp/multiuser.crt

[root@rhel8-2 ~]# ipa certmap-match /tmp/multiuser.crt
---------------
2 users matched
---------------
  Domain: EXAMPLE.COM
  User logins: ipauser1, ipauser2
----------------------------
Number of entries returned 1
----------------------------

[root@rhel8-2 ~]# ipa certmapconfig-show
  Prompt for the username: TRUE

[root@rhel8-2 ~]# grep -ri enable_files_domain /etc/sssd
[root@rhel8-2 ~]# 


Now from GDM Login screen I remove and re-insert card in reader.

Prompts for PIN
Prompts for User name hint
Comment 20 Scott Poore 2019-02-11 16:55:51 UTC 
Created attachment 1529465 [details]
verification gdm login smart card pin prompt
Comment 21 Scott Poore 2019-02-11 16:56:20 UTC 
Created attachment 1529481 [details]
verification gdm login smart card username hint prompt