Bug 1672780
Summary: | gdm login not prompting for username when smart card maps to multiple users | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Scott Poore <spoore> | ||||||||
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | ||||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Steeve Goveas <sgoveas> | ||||||||
Severity: | high | Docs Contact: | |||||||||
Priority: | urgent | ||||||||||
Version: | 8.0 | CC: | grajaiya, jhrozek, jwboyer, lslebodn, mzidek, pbrezina, sbose, tscherf | ||||||||
Target Milestone: | rc | Keywords: | TestBlocker | ||||||||
Target Release: | 8.0 | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | sssd-2.0.0-43.el8 | Doc Type: | If docs needed, set a value | ||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2019-06-14 01:55:11 UTC | Type: | Bug | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Scott Poore
2019-02-05 21:54:55 UTC
Created attachment 1527302 [details]
sssd logs
From Journal with gnome custom debug enabled, I see: Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmManager: trying to open new session Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmDBusServer: new connection 0x5641f9dc4e80 Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: Handling new connection from outside Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmManager: client connected Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmDisplay: Got timed login details for display: 0 Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: starting conversation gdm-smartcard Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSessionWorkerJob: Starting worker... Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSessionWorkerJob: Running session_worker_job process: gdm-session-worker [pam/gdm-smartcard] /usr/libexec/gdm-session-worker Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSessionWorkerJob: : SessionWorkerJob on pid 2512 Feb 05 15:39:17 rhel8-2.example.com gdm-smartcard][2512]: Enabling debugging Feb 05 15:39:17 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: connecting to address: unix:abstract=/tmp/dbus-Cykt5jlv Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmDBusServer: new connection 0x5641f9dc4b80 Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: Handling new connection from worker Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: Authenticating new connection Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: worker connection is 0x5641f9dc4b80 Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: Emitting conversation-started signal Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmManager: session conversation started for service gdm-smartcard Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: Beginning initialization Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: getting session command for file 'gnome.desktop' Feb 05 15:39:17 rhel8-2.example.com gdm[911]: GdmSession: Conversation started Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: AccountsService: ActUserManager: system OS is 'rhel' Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: AccountsService: ActUserManager: system OS version is '8.0' Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: AccountsService: Failed to identify the current session: No data available Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: AccountsService: ActUserManager: seat unloaded, so trying to set loaded property Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: AccountsService: ActUserManager: Seat wouldn't load, so giving up on it and setting loaded property Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: AccountsService: ActUserManager: already loaded, so not setting loaded property Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: attempting to change state to SETUP_COMPLETE Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: initializing PAM; service=gdm-smartcard username=(null) seat=seat0 Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: Set PAM environment variable: 'XDG_SEAT=seat0' Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: state SETUP_COMPLETE Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: attempting to change state to AUTHENTICATED Feb 05 15:39:18 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: authenticating user (null) Feb 05 15:39:21 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: 1 new messages received from PAM Feb 05 15:39:21 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: username is '<unset>' Feb 05 15:39:21 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: old-username='<unset>' new-username='<unset>' Feb 05 15:39:21 rhel8-2.example.com gdm-smartcard][2512]: GdmSessionWorker: received pam message of type 1 with payload 'Password: ' FYI, I was able to confirm the same happens with just IPA users so not AD trust needed to reproduce Hi Scott, did you enable user name hints with 'ipa certmapconfig-mod --promptusername=True' ? HTH bye, Sumit It was already enabled: [root@rhel8-2 ~]# ipa certmapconfig-show Prompt for the username: TRUE I did even try disabling and re-enabling it: [root@rhel8-2 ~]# history|grep certmapconfig-mod 945 ipa certmapconfig-mod --promptusername=False 968 ipa certmapconfig-mod --promptusername=True 1016 history|grep certmapconfig-mod [root@rhel8-2 ~]# Is this maybe a GDM bug? (In reply to Scott Poore from comment #5) > It was already enabled: > > [root@rhel8-2 ~]# ipa certmapconfig-show > Prompt for the username: TRUE > > > I did even try disabling and re-enabling it: > > [root@rhel8-2 ~]# history|grep certmapconfig-mod > 945 ipa certmapconfig-mod --promptusername=False > 968 ipa certmapconfig-mod --promptusername=True > 1016 history|grep certmapconfig-mod > [root@rhel8-2 ~]# > > > Is this maybe a GDM bug? No, according to the SSSD logs SSSD thinks the flag is not set. Do you have a reproducer system where I can log in and check? bye, Sumit Hi, SSSD does not handle the flag well if multiple domains are configured which is default on RHEL8 because of the implicit_files domain. Adding 'enable_files_domain = false' to the [sssd] section can be used as a workaround. There was a similar issue with certificate maps and I though I've fixed this as well but it looks I was wrong. bye, Sumit Upstream ticket: https://pagure.io/SSSD/sssd/issue/3949 Asking for exception+ or blocker+ (?) for this bug because it breaks multiple tests covering Smart Card Authentication. Justification for exception is that it prevents users from using a Smart Card when the certificate on the card is mapped to multiple accounts. One example of this is the case where a user has a Smart Card to login to both IPA and AD accounts. Another example is multiple accounts in the same domain for different roles. Although there is a workaround, it's not ideal for all cases because it disables the implicit files domain. * master: 3eb99a171f59454fc2ec130b3e5052b3de5569a2 Verified. Version:: sssd-2.0.0-43.el8.x86_64 Results :: [root@rhel8-2 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all-certs Object 0: URL: pkcs11:model=PKCS%2315;manufacturer=Aventra%20Ltd.;serial=7055056447986431;token=ipauser1-01%20%28MyEID%29;id=%01;object=cert.01;type=cert Type: X.509 Certificate (RSA-2048) Expires: Fri Feb 5 14:53:40 2021 Label: cert.01 ID: 01 [root@rhel8-2 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --export 'pkcs11:model=PKCS%2315;manufacturer=Aventra%20Ltd.;serial=7055056447986431;token=ipauser1-01%20%28MyEID%29;id=%01;object=cert.01;type=cert' --outfile /tmp/multiuser.crt [root@rhel8-2 ~]# ipa certmap-match /tmp/multiuser.crt --------------- 2 users matched --------------- Domain: EXAMPLE.COM User logins: ipauser1, ipauser2 ---------------------------- Number of entries returned 1 ---------------------------- [root@rhel8-2 ~]# ipa certmapconfig-show Prompt for the username: TRUE [root@rhel8-2 ~]# grep -ri enable_files_domain /etc/sssd [root@rhel8-2 ~]# Now from GDM Login screen I remove and re-insert card in reader. Prompts for PIN Prompts for User name hint Created attachment 1529465 [details]
verification gdm login smart card pin prompt
Created attachment 1529481 [details]
verification gdm login smart card username hint prompt
|