Hide Forgot
Description of problem: Authentication does work, But getting these in /var/log/messages about every 80 seconds: *************/var/log/messages/************** Feb 8 11:53:45 pcscd[]: auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file “/proc/<>/status”: No such file or directory Feb 8 11:53:45 pcscd[]: 00000020 auth.c:137:IsClientAuthorized() Process 10833 (user: 0) is NOT authorized for action: access_pcsc Feb 8 11:53:45 pcscd[]: 00000014 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Feb 8 11:53:45 pcscd[]: 00000407 auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file “/proc/<>/status”: No such file or directory Feb 8 11:53:45 pcscd[]: 00000006 auth.c:137:IsClientAuthorized() Process 10835 (user: 0) is NOT authorized for action: access_pcsc Feb 8 11:53:45 pcscd[]: 00000091 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client *********************************************** ************Diagnostic Steps******************** 1. Installed polkit rules as mentioned below and done restart, still issue persists. # /usr/share/polkit-1/rules.d/sssd-pcsc.rules // Please put this file in /usr/share/polkit-1/rules.d/ if SSSD is running as // unprivileged user 'sssd' to allow access to the Smartcard via pcscd. polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_card" && subject.user == "sssd") { return polkit.Result.YES; } }); polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.user == "sssd") { return polkit.Result.YES; } }); # service polkit restart 2. Tried changing all of the "auth-admin" to "yes" in /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy. But it did not make a difference. ************************************************ **************Workaround*********************** - Created a copy of /etc/krb5.conf, e.g. /etc/krb5.conf.sssd, remove the pkinit_identities lines only in the copy and "KRB5_CONFIG=/etc/krb5.conf.sssd" to /etc/sysconfig/sssd. - This way SSSD and all its sub-processes should read /etc/krb5.conf.sssd instead of /etc/krb5.conf but all other processes in the system should continue to use /etc/krb5.conf. - This way /var/log/messages does not see p11_child rejected message from pcscd. ************************************************* Version-Release number of selected component (if applicable): Red Hat Enterprise Linux 8 sssd-2.0.0-43.el8.x86_64 pcsc-lite-1.8.23-3.el8.x86_64 Smart card reader Bus 003 Device 003: ID 413c:2101 Dell Computer Corp. SmartCard Reader Keyboard How reproducible: All times in Customer's env Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Customer want solution rather than workaround. Additional info:
If two ldap_child processes are running more or less in parallel and pkinit_identities is set in krb5.conf there is a chance that both krb5_child processes block each other in MIT Kerberos' pkinit plugin or in the OpenSC PKCS#11 module. Since ldap_child does not use pkinit at all but a keytab it would be best to make sure that pkinit is not used at all e.g. by calling krb5_get_init_creds_opt_set_pa() for "X509_user_identity" with an invalid type.
Sumit, attached case is closed. =====#26 (Customer) Make PrivatePrivate Helps Resolution? 0======== Created By: Ray Rocker (4/24/2019 7:12 PM) Vinay, The workaround of using a separate krb5.conf for sssd w/o pkinit_identities did solve the problem. I hope the issue is still being worked in sssd? Would rather not have to keep using this workaround after RHEL 8 is released. No further assistance is needed at this time, this case may be closed. Thanks -- Ray =====================================================================
(In reply to amitkuma from comment #2) > Sumit, attached case is closed. > Thanks for the info. > =====#26 (Customer) Make PrivatePrivate Helps Resolution? 0======== > > Created By: Ray Rocker (4/24/2019 7:12 PM) > Vinay, > > The workaround of using a separate krb5.conf for sssd w/o pkinit_identities > did solve the problem. > > I hope the issue is still being worked in sssd? Would rather not have to > keep using this workaround after RHEL 8 is released. But I think it would be good to fix the issue nonetheless. bye, Sumit > > No further assistance is needed at this time, this case may be closed. > Thanks -- Ray > =====================================================================
Upstream ticket: https://pagure.io/SSSD/sssd/issue/4126
master: 580d618
Verified Version :: sssd-2.2.3-6.el8.x86_64 Results :: First reproducing error Setup IPA Smart Card Authentication configuration. On IPA Server, make sure PKINIT is configured: On IPA Client, add pkinit_identities to /etc/krb5.conf # cat /etc/krb5.conf #File modified by ipa-client-install includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [libdefaults] default_realm = IPA.TEST dns_lookup_realm = true dns_lookup_kdc = true rdns = false dns_canonicalize_hostname = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} pkinit_identities = PKCS11:/usr/lib64/pkcs11/opensc-pkcs11.so [realms] IPA.TEST = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .ipa.test = IPA.TEST ipa.test = IPA.TEST client.ipa.test = IPA.TEST Connect smart card reader and make sure pcscd is enabled systemctl enable pcscd systemctl start pcscd Restart sssd systemctl restart sssd In Logs I see: Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000000 auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file > Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000101 auth.c:137:IsClientAuthorized() Process 6415 (user: 0) is NOT authorized for action: access_pcsc Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000012 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00001611 auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file > Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000011 auth.c:137:IsClientAuthorized() Process 6419 (user: 0) is NOT authorized for action: access_pcsc Jan 15 09:37:27 client.ipa.test pcscd[6395]: 00000092 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Now, upgrade sssd: [root@client yum.repos.d]# dnf update sssd ... Find any left behind: [root@client yum.repos.d]# rpm -qa|grep 2.2.3-4 ... Update those [root@client yum.repos.d]# dnf update libsss_certmap libsss_autofs libsss_sudo libsss_nss_idmap sssd-nfs-idmap python3-sss-murmur ... Check log: Jan 15 09:55:50 client.ipa.test sssd[be[ipa.test]][11173]: Starting up Jan 15 09:55:50 client.ipa.test sssd[sudo][11177]: Starting up Jan 15 09:55:50 client.ipa.test sssd[pam][11175]: Starting up Jan 15 09:55:50 client.ipa.test sssd[nss][11174]: Starting up Jan 15 09:55:50 client.ipa.test sssd[pac][11178]: Starting up Jan 15 09:55:50 client.ipa.test sssd[ssh][11176]: Starting up Jan 15 09:55:50 client.ipa.test systemd[1]: Started System Security Services Daemon. Check again after 2 minutes or more: [root@client yum.repos.d]# date; journalctl -xel --since 09:55:51 --no-pager Wed Jan 15 09:58:53 CST 2020 -- Logs begin at Thu 2020-01-02 10:59:01 CST, end at Wed 2020-01-15 09:55:50 CST. -- -- No entries --
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:1863