Bug 1704199 - pcscd rejecting sssd ldap_child as unauthorized
Summary: pcscd rejecting sssd ldap_child as unauthorized
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.2
Assignee: Sumit Bose
QA Contact: sssd-qe
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-29 10:12 UTC by amitkuma
Modified: 2021-01-18 14:42 UTC (History)
11 users (show)

Fixed In Version: sssd-2.2.3-6.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-28 16:55:59 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 5087 None closed pcscd rejecting sssd ldap_child as unauthorized 2021-01-18 16:33:47 UTC
Red Hat Product Errata RHBA-2020:1863 None None None 2020-04-28 16:56:22 UTC

Description amitkuma 2019-04-29 10:12:49 UTC
Description of problem:
Authentication does work, But getting these in /var/log/messages about every 80 seconds:

*************/var/log/messages/**************
Feb  8 11:53:45  pcscd[]:  auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file “/proc/<>/status”: No such file or directory
Feb  8 11:53:45  pcscd[]: 00000020 auth.c:137:IsClientAuthorized() Process 10833 (user: 0) is NOT authorized for action: access_pcsc
Feb  8 11:53:45  pcscd[]: 00000014 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Feb  8 11:53:45  pcscd[]: 00000407 auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file “/proc/<>/status”: No such file or directory
Feb  8 11:53:45  pcscd[]: 00000006 auth.c:137:IsClientAuthorized() Process 10835 (user: 0) is NOT authorized for action: access_pcsc
Feb  8 11:53:45  pcscd[]: 00000091 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
***********************************************


************Diagnostic Steps********************
1. Installed polkit rules as mentioned below and done restart, still issue persists.
# /usr/share/polkit-1/rules.d/sssd-pcsc.rules
// Please put this file in /usr/share/polkit-1/rules.d/ if SSSD is running as
// unprivileged user 'sssd' to allow access to the Smartcard via pcscd.
polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        subject.user == "sssd") {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "sssd") {
            return polkit.Result.YES;
    }
});
# service polkit restart
2. Tried changing all of the "auth-admin" to "yes" in /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy. But it did not make a difference.
************************************************


**************Workaround***********************
- Created a copy of /etc/krb5.conf, e.g. /etc/krb5.conf.sssd, remove the pkinit_identities lines only in the copy and "KRB5_CONFIG=/etc/krb5.conf.sssd" to /etc/sysconfig/sssd.
- This way SSSD and all its sub-processes should read /etc/krb5.conf.sssd instead of /etc/krb5.conf but all other processes in the system should continue to use /etc/krb5.conf.
- This way /var/log/messages does not see p11_child rejected message from pcscd.
*************************************************


Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 8
sssd-2.0.0-43.el8.x86_64
pcsc-lite-1.8.23-3.el8.x86_64
Smart card reader
Bus 003 Device 003: ID 413c:2101 Dell Computer Corp. SmartCard Reader Keyboard


How reproducible:
All times in Customer's env

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
Customer want solution rather than workaround.

Additional info:

Comment 1 Sumit Bose 2019-04-29 13:09:24 UTC
If two ldap_child processes are running more or less in parallel and pkinit_identities is set in krb5.conf there is a chance that both krb5_child processes block each other in MIT Kerberos' pkinit plugin or in the OpenSC PKCS#11 module. Since ldap_child does not use pkinit at all but a keytab it would be best to make sure that pkinit is not used at all e.g. by calling krb5_get_init_creds_opt_set_pa() for "X509_user_identity" with an invalid type.

Comment 2 amitkuma 2019-08-30 11:00:32 UTC
Sumit, attached case is closed. 

=====#26  (Customer)  Make PrivatePrivate Helps Resolution?  0========
  
Created By: Ray Rocker  (4/24/2019 7:12 PM)
Vinay,

The workaround of using a separate krb5.conf for sssd w/o pkinit_identities did solve the problem.

I hope the issue is still being worked in sssd? Would rather not have to keep using this workaround after RHEL 8 is released.

No further assistance is needed at this time, this case may be closed.   Thanks -- Ray
=====================================================================

Comment 3 Sumit Bose 2019-08-30 11:16:42 UTC
(In reply to amitkuma from comment #2)
> Sumit, attached case is closed. 
> 

Thanks for the info.

> =====#26  (Customer)  Make PrivatePrivate Helps Resolution?  0========
>   
> Created By: Ray Rocker  (4/24/2019 7:12 PM)
> Vinay,
> 
> The workaround of using a separate krb5.conf for sssd w/o pkinit_identities
> did solve the problem.
> 
> I hope the issue is still being worked in sssd? Would rather not have to
> keep using this workaround after RHEL 8 is released.

But I think it would be good to fix the issue nonetheless.

bye,
Sumit

> 
> No further assistance is needed at this time, this case may be closed.  
> Thanks -- Ray
> =====================================================================

Comment 7 Sumit Bose 2019-12-06 11:29:05 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/4126

Comment 8 Michal Zidek 2019-12-14 00:54:30 UTC
master:
    580d618

Comment 10 Scott Poore 2020-01-15 15:59:46 UTC
Verified

Version ::

sssd-2.2.3-6.el8.x86_64

Results ::

First reproducing error

Setup IPA Smart Card Authentication configuration.

On IPA Server, make sure PKINIT is configured:


On IPA Client, 

add pkinit_identities to /etc/krb5.conf
# cat /etc/krb5.conf
#File modified by ipa-client-install

includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = IPA.TEST
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  dns_canonicalize_hostname = false
  ticket_lifetime = 24h
  forwardable = true
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}
  pkinit_identities = PKCS11:/usr/lib64/pkcs11/opensc-pkcs11.so


[realms]
  IPA.TEST = {
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem

  }


[domain_realm]
  .ipa.test = IPA.TEST
  ipa.test = IPA.TEST
  client.ipa.test = IPA.TEST


Connect smart card reader and make sure pcscd is enabled

systemctl enable pcscd
systemctl start pcscd

Restart sssd

systemctl restart sssd

In Logs I see:

Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000000 auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file >
Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000101 auth.c:137:IsClientAuthorized() Process 6415 (user: 0) is NOT authorized for action: access_pcsc
Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000012 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00001611 auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file >
Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000011 auth.c:137:IsClientAuthorized() Process 6419 (user: 0) is NOT authorized for action: access_pcsc
Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000092 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client


Now, upgrade sssd:

[root@client yum.repos.d]# dnf update sssd
...
Find any left behind:

[root@client yum.repos.d]# rpm -qa|grep 2.2.3-4
...
Update those

[root@client yum.repos.d]# dnf update libsss_certmap libsss_autofs libsss_sudo libsss_nss_idmap sssd-nfs-idmap python3-sss-murmur
...

Check log:

Jan 15 09:55:50 client.ipa.test sssd[be[ipa.test]][11173]: Starting up
Jan 15 09:55:50 client.ipa.test sssd[sudo][11177]: Starting up
Jan 15 09:55:50 client.ipa.test sssd[pam][11175]: Starting up
Jan 15 09:55:50 client.ipa.test sssd[nss][11174]: Starting up
Jan 15 09:55:50 client.ipa.test sssd[pac][11178]: Starting up
Jan 15 09:55:50 client.ipa.test sssd[ssh][11176]: Starting up
Jan 15 09:55:50 client.ipa.test systemd[1]: Started System Security Services Daemon.


Check again after 2 minutes or more:

[root@client yum.repos.d]# date; journalctl -xel --since 09:55:51 --no-pager
Wed Jan 15 09:58:53 CST 2020
-- Logs begin at Thu 2020-01-02 10:59:01 CST, end at Wed 2020-01-15 09:55:50 CST. --
-- No entries --

Comment 12 errata-xmlrpc 2020-04-28 16:55:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1863


Note You need to log in before you can comment on or make changes to this bug.