Bug 1704199
| Summary: | pcscd rejecting sssd ldap_child as unauthorized | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | amitkuma |
| Component: | sssd | Assignee: | Sumit Bose <sbose> |
| Status: | CLOSED ERRATA | QA Contact: | sssd-qe <sssd-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.1 | CC: | cilmar, cobrown, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, sbose, sgoveas, spoore, thalman, tscherf |
| Target Milestone: | rc | Flags: | jhrozek:
mirror+
|
| Target Release: | 8.2 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | sync-to-jira | ||
| Fixed In Version: | sssd-2.2.3-6.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-28 16:55:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
If two ldap_child processes are running more or less in parallel and pkinit_identities is set in krb5.conf there is a chance that both krb5_child processes block each other in MIT Kerberos' pkinit plugin or in the OpenSC PKCS#11 module. Since ldap_child does not use pkinit at all but a keytab it would be best to make sure that pkinit is not used at all e.g. by calling krb5_get_init_creds_opt_set_pa() for "X509_user_identity" with an invalid type. Sumit, attached case is closed. =====#26 (Customer) Make PrivatePrivate Helps Resolution? 0======== Created By: Ray Rocker (4/24/2019 7:12 PM) Vinay, The workaround of using a separate krb5.conf for sssd w/o pkinit_identities did solve the problem. I hope the issue is still being worked in sssd? Would rather not have to keep using this workaround after RHEL 8 is released. No further assistance is needed at this time, this case may be closed. Thanks -- Ray ===================================================================== (In reply to amitkuma from comment #2) > Sumit, attached case is closed. > Thanks for the info. > =====#26 (Customer) Make PrivatePrivate Helps Resolution? 0======== > > Created By: Ray Rocker (4/24/2019 7:12 PM) > Vinay, > > The workaround of using a separate krb5.conf for sssd w/o pkinit_identities > did solve the problem. > > I hope the issue is still being worked in sssd? Would rather not have to > keep using this workaround after RHEL 8 is released. But I think it would be good to fix the issue nonetheless. bye, Sumit > > No further assistance is needed at this time, this case may be closed. > Thanks -- Ray > ===================================================================== Upstream ticket: https://pagure.io/SSSD/sssd/issue/4126 master:
580d618
Verified
Version ::
sssd-2.2.3-6.el8.x86_64
Results ::
First reproducing error
Setup IPA Smart Card Authentication configuration.
On IPA Server, make sure PKINIT is configured:
On IPA Client,
add pkinit_identities to /etc/krb5.conf
# cat /etc/krb5.conf
#File modified by ipa-client-install
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = IPA.TEST
dns_lookup_realm = true
dns_lookup_kdc = true
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
pkinit_identities = PKCS11:/usr/lib64/pkcs11/opensc-pkcs11.so
[realms]
IPA.TEST = {
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.ipa.test = IPA.TEST
ipa.test = IPA.TEST
client.ipa.test = IPA.TEST
Connect smart card reader and make sure pcscd is enabled
systemctl enable pcscd
systemctl start pcscd
Restart sssd
systemctl restart sssd
In Logs I see:
Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000000 auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file >
Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000101 auth.c:137:IsClientAuthorized() Process 6415 (user: 0) is NOT authorized for action: access_pcsc
Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000012 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00001611 auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file >
Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000011 auth.c:137:IsClientAuthorized() Process 6419 (user: 0) is NOT authorized for action: access_pcsc
Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000092 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Now, upgrade sssd:
[root@client yum.repos.d]# dnf update sssd
...
Find any left behind:
[root@client yum.repos.d]# rpm -qa|grep 2.2.3-4
...
Update those
[root@client yum.repos.d]# dnf update libsss_certmap libsss_autofs libsss_sudo libsss_nss_idmap sssd-nfs-idmap python3-sss-murmur
...
Check log:
Jan 15 09:55:50 client.ipa.test sssd[be[ipa.test]][11173]: Starting up
Jan 15 09:55:50 client.ipa.test sssd[sudo][11177]: Starting up
Jan 15 09:55:50 client.ipa.test sssd[pam][11175]: Starting up
Jan 15 09:55:50 client.ipa.test sssd[nss][11174]: Starting up
Jan 15 09:55:50 client.ipa.test sssd[pac][11178]: Starting up
Jan 15 09:55:50 client.ipa.test sssd[ssh][11176]: Starting up
Jan 15 09:55:50 client.ipa.test systemd[1]: Started System Security Services Daemon.
Check again after 2 minutes or more:
[root@client yum.repos.d]# date; journalctl -xel --since 09:55:51 --no-pager
Wed Jan 15 09:58:53 CST 2020
-- Logs begin at Thu 2020-01-02 10:59:01 CST, end at Wed 2020-01-15 09:55:50 CST. --
-- No entries --
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1863 |
Description of problem: Authentication does work, But getting these in /var/log/messages about every 80 seconds: *************/var/log/messages/************** Feb 8 11:53:45 pcscd[]: auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file “/proc/<>/status”: No such file or directory Feb 8 11:53:45 pcscd[]: 00000020 auth.c:137:IsClientAuthorized() Process 10833 (user: 0) is NOT authorized for action: access_pcsc Feb 8 11:53:45 pcscd[]: 00000014 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Feb 8 11:53:45 pcscd[]: 00000407 auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file “/proc/<>/status”: No such file or directory Feb 8 11:53:45 pcscd[]: 00000006 auth.c:137:IsClientAuthorized() Process 10835 (user: 0) is NOT authorized for action: access_pcsc Feb 8 11:53:45 pcscd[]: 00000091 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client *********************************************** ************Diagnostic Steps******************** 1. Installed polkit rules as mentioned below and done restart, still issue persists. # /usr/share/polkit-1/rules.d/sssd-pcsc.rules // Please put this file in /usr/share/polkit-1/rules.d/ if SSSD is running as // unprivileged user 'sssd' to allow access to the Smartcard via pcscd. polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_card" && subject.user == "sssd") { return polkit.Result.YES; } }); polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.user == "sssd") { return polkit.Result.YES; } }); # service polkit restart 2. Tried changing all of the "auth-admin" to "yes" in /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy. But it did not make a difference. ************************************************ **************Workaround*********************** - Created a copy of /etc/krb5.conf, e.g. /etc/krb5.conf.sssd, remove the pkinit_identities lines only in the copy and "KRB5_CONFIG=/etc/krb5.conf.sssd" to /etc/sysconfig/sssd. - This way SSSD and all its sub-processes should read /etc/krb5.conf.sssd instead of /etc/krb5.conf but all other processes in the system should continue to use /etc/krb5.conf. - This way /var/log/messages does not see p11_child rejected message from pcscd. ************************************************* Version-Release number of selected component (if applicable): Red Hat Enterprise Linux 8 sssd-2.0.0-43.el8.x86_64 pcsc-lite-1.8.23-3.el8.x86_64 Smart card reader Bus 003 Device 003: ID 413c:2101 Dell Computer Corp. SmartCard Reader Keyboard How reproducible: All times in Customer's env Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Customer want solution rather than workaround. Additional info: