Hide Forgot
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
[root@dhcp129-88 ~]# rpm -qi sssd Name : sssd Version : 1.14.0 Release : 34.el7 Architecture: x86_64 Install Date: Wed 07 Sep 2016 09:57:46 AM EDT Group : Applications/System Size : 35147 License : GPLv3+ Signature : (none) Source RPM : sssd-1.14.0-34.el7.src.rpm Build Date : Fri 02 Sep 2016 07:27:36 AM EDT Build Host : x86-020.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon When there is a revoked cert and a valid cert on the smartcards, login is successful. When there is an expired cert and a valid cert on the smartcard, the login prompts for pin but authentication fails. This is how I tested with expired cert: 1. IPA issues a 1 day cert which is stored into the card. 2. I forward the system date to 2 days ahead. 3. Login using smartcard fails the following are the messages in the log (Fri Sep 9 14:51:17 2016) [[sssd[p11_child[10239]]]] [main] (0x0400): p11_child started. (Fri Sep 9 14:51:17 2016) [[sssd[p11_child[10239]]]] [main] (0x2000): Running in [auth] mode. (Fri Sep 9 14:51:17 2016) [[sssd[p11_child[10239]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Fri Sep 9 14:51:17 2016) [[sssd[p11_child[10239]]]] [main] (0x2000): Running with real IDs [0][0]. (Fri Sep 9 14:51:17 2016) [[sssd[p11_child[10239]]]] [parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling OCSP. (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Default Module List: (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): common name: [NSS Internal PKCS #11 Module]. (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): dll name: [(null)]. (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): common name: [Opensc module]. (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): dll name: [/usr/lib64/opensc-pkcs11.so]. (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Dead Module List: (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): DB Module List: (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): common name: [NSS Internal Module]. (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): dll name: [(null)]. (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Description [NSS User Private Key and Certificate Services Mozilla Foundation ^A] Manufacturer [Mozilla Foundation ^A] flags [1]. (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Description [NSS Internal Cryptographic Services Mozilla Foundation ^A] Manufacturer [Mozilla Foundation ^A] flags [1]. (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Description [OMNIKEY AG CardMan 3021 00 00 OpenSC (www.opensc-project.org) ^G] Manufacturer [OpenSC (www.opensc-project.org) ^G] flags [7]. (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Found [OpenSC Card (ipasmartcarduser)] in slot [OMNIKEY AG CardMan 3021 00 00][1] of module [2]. (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Token is NOT friendly. (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Login required. (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): found cert[OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST] (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): found cert[OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST] (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): Filtered certificates: (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): found cert[OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST] (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x4000): found cert[OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST] (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x0040): Certificate [OpenSC Card (ipasmartcarduser):Certificate][CN=ipasmartcarduser,O=TESTRELM.TEST] not valid [-8181], skipping. (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [do_work] (0x0040): VFY_VerifyData failed [-8182]. (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [main] (0x0040): do_work failed. (Fri Sep 9 14:51:18 2016) [[sssd[p11_child[10239]]]] [main] (0x0020): p11_child failed
Missed to mention that I disabled ocsp checking in sssd.conf
The "VFY_VerifyData failed [-8182]." was caused by the invalid Samrtcard which we fixed recently, please re-test with the proper card.
Sumit, I re-tested with a proper card and I was seeing the same issue when there was an expired cert on the card.
[root@dhcp129-34 ~]# rpm -qi sssd Name : sssd Version : 1.14.0 Release : 42.el7 Architecture: x86_64 Install Date: Sun 18 Sep 2016 12:54:23 PM EDT Group : Applications/System Size : 35147 License : GPLv3+ Signature : (none) Source RPM : sssd-1.14.0-42.el7.src.rpm Build Date : Fri 16 Sep 2016 09:48:09 AM EDT Build Host : x86-039.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon Login using smartcard is successful when the smartcard contains one expired/revoked cert and one valid cert.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2476.html