Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1658813 - PKINIT with KCM does not work
Summary: PKINIT with KCM does not work
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: SSSD Maintainers
QA Contact: Steeve Goveas
URL:
Whiteboard:
Depends On:
Blocks: 1781539
TreeView+ depends on / blocked
 
Reported: 2018-12-12 21:53 UTC by Jakub Hrozek
Modified: 2020-09-09 12:25 UTC (History)
9 users (show)

Fixed In Version: sssd-2.0.0-31.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1781539 (view as bug list)
Environment:
Last Closed: 2019-06-14 01:08:35 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4888 0 None closed PKINIT with KCM does not work 2020-09-14 14:33:54 UTC

Description Jakub Hrozek 2018-12-12 21:53:07 UTC 
Description of problem:
In case of Smart Card authentication, the krb5_child of sssd runs as root in order to be able to access the pcscd socket and relies on setting the KRB5CCNAME environment variable to access the ccache on behalf of the user.

However, with KCM, root cannot access another user's ccache, see e.g. this explanation by MIT krb5 upstream:
https://github.com/krb5/krb5/pull/557#issuecomment-254834623

Therefore we need to obtain the credentials as a user who can talk to pcscd (typically root) but then drop the privileges to the user who is logging and and save the credentials to the ccache as that user.

Version-Release number of selected component (if applicable):
up to sssd-2.0-24

How reproducible:
always

Steps to Reproduce:
1. login to an IPA client with a smart card
2. klist
3.

Actual results:
credential cache KCM:$uid not found

Expected results:
a valid credential cache

Additional info:
see e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1441764#c8 or a thread on freeipa-users titled "smartcard auth + kerberos ticket?" from Nov-15 2018.
Comment 1 Jakub Hrozek 2018-12-12 21:57:06 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3903
Comment 2 Jakub Hrozek 2018-12-13 11:10:52 UTC 
* master: e49e9f727e4960c8a0a2ed50488dac6e51ddf284
Comment 3 Jakub Hrozek 2018-12-13 11:12:23 UTC 
Hi Scott, can you please qa_ack this bug? You found the original issue in https://bugzilla.redhat.com/show_bug.cgi?id=1441764#c8 so I guess you know how to reproduce.
Comment 6 Scott Poore 2019-02-11 20:57:02 UTC 
Verified.

Version ::

sssd-2.0.0-43.el8.x86_64
sssd-kcm-2.0.0-43.el8.x86_64

Results ::


# p11tool --provider /usr/lib64/opensc-pkcs11.so --export 'pkcs11:model=PKCS%2315;manufacturer=Aventra%20Ltd.;serial=7055056447986431;token=singleuser1-01%20%28MyEID%29;id=%01;object=cert.01;type=cert' --outfile /tmp/card.crt

# ipa certmap-match /tmp/card.crt
---------------
2 users matched
---------------
  Domain: EXAMPLE.COM
  User logins: singleuser1

  Domain: ad.test
  User logins: adcertsingleuser1
----------------------------
Number of entries returned 2
----------------------------

# su - singleuser1 -c "kdestroy -A"

# su - singleuser1 -c "su - singleuser1 -c klist"
PIN for singleuser1-01 (MyEID)
Ticket cache: KCM:614800473:39355
Default principal: singleuser1@EXAMPLE.COM

Valid starting       Expires              Service principal
02/11/2019 14:50:28  02/12/2019 14:50:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM
Note You need to log in before you can comment on or make changes to this bug.