Bug 2251709
| Summary: | Update to sssd-2.9.3 breaks user authentication via smartcard | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ralf Schneider <ralf.schneider> | ||||||||
| Component: | sssd | Assignee: | sssd-maintainers <sssd-maintainers> | ||||||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | unspecified | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 39 | CC: | abokovoy, atikhono, lslebodn, mzidek, pbrezina, sbose, ssorce, sssd-maintainers | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | x86_64 | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2023-11-27 13:12:17 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Ralf Schneider
2023-11-27 09:28:35 UTC
Could you please provide '/var/log/sssd/p11_child.log' that covers failed attempt? Created attachment 2001675 [details] p11_child.log requested in comment #1 Is this a local user (from /etc/passwd)? Unfortunately, there is no enough information with the default debug level. Could you please add 'debug_level = 9' to the '[pam]' section of 'sssd.conf', clear SSSD logs and restart SSSD, repeat attempt and then provide sanitized 'p11_child.log' and 'sssd_pam.log'? And relevant parts of sssd.conf itself, if possible. Hi Alexey, yes indeed it is a local user from /etc/passwd. My sssd.conf with looks like ----------------------- [sssd] enable_files_domain = True services = nss, pam domains = shadowutils debug_level = 9 [nss] [pam] pam_cert_auth = True pam_verbosity = 10 debug_level = 9 [domain/shadowutils] id_provider = files auth_provider = proxy proxy_pam_target = sssd-shadowutils proxy_fast_alias = True debug_level = 9 [certmap/shadowutils/<snip>My user_id<snap>] matchrule = <SUBJECT>.*CN=<snip>My user_id<snap> ----------------------- The logs should contain two attempts to access the smartcard triggered by pamtester: In the first one I gave the password, pamtester login $USER authenticate Password: pamtester: successfully authenticated In the second one I tried the user key of the smartcard which returned: pamtester login $USER authenticate Password: pamtester: Authentication failure Created attachment 2001678 [details] Extended p11_child.log requested in comment #4 Created attachment 2001679 [details] sssd_pam.log requested in comment #4 Hi,
can you try if adding
local_auth_policy = enable:smartcard
to the [domain/...] section in sssd.conf and restarting SSSD will help?
bye,
Sumit
Hi, that did the trick! Now everything works again as expected. Thanks for the fast support, Ralf One more question, any reason you use ``` id_provider = files ``` and not ``` id_provider = proxy proxy_lib_name = files ``` ? Take a note 'id_provider = files' is a deprecated functionality and most probably will be gone starting F40. Actually there is no special reason besides the fact that I glued the thing together based on rather old HowTo as I now realized. I now changed to id_provider = proxy proxy_lib_name = files and still everything works as expected. Thanks a lot for the hint! |