Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1658813 - PKINIT with KCM does not work
Summary: PKINIT with KCM does not work
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.0
Assignee: SSSD Maintainers
QA Contact: Steeve Goveas
Depends On:
Blocks: 1781539
TreeView+ depends on / blocked
Reported: 2018-12-12 21:53 UTC by Jakub Hrozek
Modified: 2020-09-09 12:25 UTC (History)
9 users (show)

Fixed In Version: sssd-2.0.0-31.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1781539 (view as bug list)
Last Closed: 2019-06-14 01:08:35 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4888 0 None closed PKINIT with KCM does not work 2020-09-14 14:33:54 UTC

Description Jakub Hrozek 2018-12-12 21:53:07 UTC
Description of problem:
In case of Smart Card authentication, the krb5_child of sssd runs as root in order to be able to access the pcscd socket and relies on setting the KRB5CCNAME environment variable to access the ccache on behalf of the user.

However, with KCM, root cannot access another user's ccache, see e.g. this explanation by MIT krb5 upstream:

Therefore we need to obtain the credentials as a user who can talk to pcscd (typically root) but then drop the privileges to the user who is logging and and save the credentials to the ccache as that user.

Version-Release number of selected component (if applicable):
up to sssd-2.0-24

How reproducible:

Steps to Reproduce:
1. login to an IPA client with a smart card
2. klist

Actual results:
credential cache KCM:$uid not found

Expected results:
a valid credential cache

Additional info:
see e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1441764#c8 or a thread on freeipa-users titled "smartcard auth + kerberos ticket?" from Nov-15 2018.

Comment 1 Jakub Hrozek 2018-12-12 21:57:06 UTC
Upstream ticket:

Comment 2 Jakub Hrozek 2018-12-13 11:10:52 UTC
* master: e49e9f727e4960c8a0a2ed50488dac6e51ddf284

Comment 3 Jakub Hrozek 2018-12-13 11:12:23 UTC
Hi Scott, can you please qa_ack this bug? You found the original issue in https://bugzilla.redhat.com/show_bug.cgi?id=1441764#c8 so I guess you know how to reproduce.

Comment 6 Scott Poore 2019-02-11 20:57:02 UTC

Version ::


Results ::

# p11tool --provider /usr/lib64/opensc-pkcs11.so --export 'pkcs11:model=PKCS%2315;manufacturer=Aventra%20Ltd.;serial=7055056447986431;token=singleuser1-01%20%28MyEID%29;id=%01;object=cert.01;type=cert' --outfile /tmp/card.crt

# ipa certmap-match /tmp/card.crt
2 users matched
  User logins: singleuser1

  Domain: ad.test
  User logins: adcertsingleuser1
Number of entries returned 2

# su - singleuser1 -c "kdestroy -A"

# su - singleuser1 -c "su - singleuser1 -c klist"
PIN for singleuser1-01 (MyEID)
Ticket cache: KCM:614800473:39355
Default principal: singleuser1@EXAMPLE.COM

Valid starting       Expires              Service principal
02/11/2019 14:50:28  02/12/2019 14:50:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM

Note You need to log in before you can comment on or make changes to this bug.