1704199 – pcscd rejecting sssd ldap_child as unauthorized

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1704199 - pcscd rejecting sssd ldap_child as unauthorized

Summary: pcscd rejecting sssd ldap_child as unauthorized

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.2
Assignee:	Sumit Bose
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-04-29 10:12 UTC by amitkuma
Modified:	2023-03-24 14:46 UTC (History)
CC List:	12 users (show)
Fixed In Version:	sssd-2.2.3-6.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-28 16:55:59 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 5087	None	closed	pcscd rejecting sssd ldap_child as unauthorized	2021-02-18 14:36:46 UTC
Red Hat Issue Tracker	SSSD-1748	None	None	None	2022-08-03 12:46:47 UTC
Red Hat Product Errata	RHBA-2020:1863	None	None	None	2020-04-28 16:56:22 UTC

Description amitkuma 2019-04-29 10:12:49 UTC

Description of problem:
Authentication does work, But getting these in /var/log/messages about every 80 seconds:

*************/var/log/messages/**************
Feb  8 11:53:45  pcscd[]:  auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file “/proc/<>/status”: No such file or directory
Feb  8 11:53:45  pcscd[]: 00000020 auth.c:137:IsClientAuthorized() Process 10833 (user: 0) is NOT authorized for action: access_pcsc
Feb  8 11:53:45  pcscd[]: 00000014 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Feb  8 11:53:45  pcscd[]: 00000407 auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file “/proc/<>/status”: No such file or directory
Feb  8 11:53:45  pcscd[]: 00000006 auth.c:137:IsClientAuthorized() Process 10835 (user: 0) is NOT authorized for action: access_pcsc
Feb  8 11:53:45  pcscd[]: 00000091 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
***********************************************


************Diagnostic Steps********************
1. Installed polkit rules as mentioned below and done restart, still issue persists.
# /usr/share/polkit-1/rules.d/sssd-pcsc.rules
// Please put this file in /usr/share/polkit-1/rules.d/ if SSSD is running as
// unprivileged user 'sssd' to allow access to the Smartcard via pcscd.
polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        subject.user == "sssd") {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "sssd") {
            return polkit.Result.YES;
    }
});
# service polkit restart
2. Tried changing all of the "auth-admin" to "yes" in /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy. But it did not make a difference.
************************************************


**************Workaround***********************
- Created a copy of /etc/krb5.conf, e.g. /etc/krb5.conf.sssd, remove the pkinit_identities lines only in the copy and "KRB5_CONFIG=/etc/krb5.conf.sssd" to /etc/sysconfig/sssd.
- This way SSSD and all its sub-processes should read /etc/krb5.conf.sssd instead of /etc/krb5.conf but all other processes in the system should continue to use /etc/krb5.conf.
- This way /var/log/messages does not see p11_child rejected message from pcscd.
*************************************************


Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 8
sssd-2.0.0-43.el8.x86_64
pcsc-lite-1.8.23-3.el8.x86_64
Smart card reader
Bus 003 Device 003: ID 413c:2101 Dell Computer Corp. SmartCard Reader Keyboard


How reproducible:
All times in Customer's env

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
Customer want solution rather than workaround.

Additional info:

Comment 1 Sumit Bose 2019-04-29 13:09:24 UTC

If two ldap_child processes are running more or less in parallel and pkinit_identities is set in krb5.conf there is a chance that both krb5_child processes block each other in MIT Kerberos' pkinit plugin or in the OpenSC PKCS#11 module. Since ldap_child does not use pkinit at all but a keytab it would be best to make sure that pkinit is not used at all e.g. by calling krb5_get_init_creds_opt_set_pa() for "X509_user_identity" with an invalid type.

Comment 2 amitkuma 2019-08-30 11:00:32 UTC

Sumit, attached case is closed. 

=====#26  (Customer)  Make PrivatePrivate Helps Resolution?  0========
  
Created By: Ray Rocker  (4/24/2019 7:12 PM)
Vinay,

The workaround of using a separate krb5.conf for sssd w/o pkinit_identities did solve the problem.

I hope the issue is still being worked in sssd? Would rather not have to keep using this workaround after RHEL 8 is released.

No further assistance is needed at this time, this case may be closed.   Thanks -- Ray
=====================================================================

Comment 3 Sumit Bose 2019-08-30 11:16:42 UTC

(In reply to amitkuma from comment #2)
> Sumit, attached case is closed. 
> 

Thanks for the info.

> =====#26  (Customer)  Make PrivatePrivate Helps Resolution?  0========
>   
> Created By: Ray Rocker  (4/24/2019 7:12 PM)
> Vinay,
> 
> The workaround of using a separate krb5.conf for sssd w/o pkinit_identities
> did solve the problem.
> 
> I hope the issue is still being worked in sssd? Would rather not have to
> keep using this workaround after RHEL 8 is released.

But I think it would be good to fix the issue nonetheless.

bye,
Sumit

> 
> No further assistance is needed at this time, this case may be closed.  
> Thanks -- Ray
> =====================================================================

Comment 7 Sumit Bose 2019-12-06 11:29:05 UTC

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/4126

Comment 8 Michal Zidek 2019-12-14 00:54:30 UTC

master:
    580d618

Comment 10 Scott Poore 2020-01-15 15:59:46 UTC

Verified

Version ::

sssd-2.2.3-6.el8.x86_64

Results ::

First reproducing error

Setup IPA Smart Card Authentication configuration.

On IPA Server, make sure PKINIT is configured:


On IPA Client, 

add pkinit_identities to /etc/krb5.conf
# cat /etc/krb5.conf
#File modified by ipa-client-install

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = IPA.TEST
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  dns_canonicalize_hostname = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}
  pkinit_identities = PKCS11:/usr/lib64/pkcs11/opensc-pkcs11.so


[realms]
  IPA.TEST = {
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem

  }


[domain_realm]
  .ipa.test = IPA.TEST
  ipa.test = IPA.TEST
  client.ipa.test = IPA.TEST


Connect smart card reader and make sure pcscd is enabled

systemctl enable pcscd
systemctl start pcscd

Restart sssd

systemctl restart sssd

In Logs I see:

Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000000 auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file >
Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000101 auth.c:137:IsClientAuthorized() Process 6415 (user: 0) is NOT authorized for action: access_pcsc
Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000012 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00001611 auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file >
Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000011 auth.c:137:IsClientAuthorized() Process 6419 (user: 0) is NOT authorized for action: access_pcsc
Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000092 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client


Now, upgrade sssd:

[root@client yum.repos.d]# dnf update sssd
...
Find any left behind:

[root@client yum.repos.d]# rpm -qa|grep 2.2.3-4
...
Update those

[root@client yum.repos.d]# dnf update libsss_certmap libsss_autofs libsss_sudo libsss_nss_idmap sssd-nfs-idmap python3-sss-murmur
...

Check log:

Jan 15 09:55:50 client.ipa.test sssd[be[ipa.test]][11173]: Starting up
Jan 15 09:55:50 client.ipa.test sssd[sudo][11177]: Starting up
Jan 15 09:55:50 client.ipa.test sssd[pam][11175]: Starting up
Jan 15 09:55:50 client.ipa.test sssd[nss][11174]: Starting up
Jan 15 09:55:50 client.ipa.test sssd[pac][11178]: Starting up
Jan 15 09:55:50 client.ipa.test sssd[ssh][11176]: Starting up
Jan 15 09:55:50 client.ipa.test systemd[1]: Started System Security Services Daemon.


Check again after 2 minutes or more:

[root@client yum.repos.d]# date; journalctl -xel --since 09:55:51 --no-pager
Wed Jan 15 09:58:53 CST 2020
-- Logs begin at Thu 2020-01-02 10:59:01 CST, end at Wed 2020-01-15 09:55:50 CST. --
-- No entries --

Comment 12 errata-xmlrpc 2020-04-28 16:55:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1863

Note You need to log in before you can comment on or make changes to this bug.