1845904 – gdm smart card authentication does not work shortly after disconnecting from network.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1845904 - gdm smart card authentication does not work shortly after disconnecting from network.

Summary: gdm smart card authentication does not work shortly after disconnecting from ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Sumit Bose
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-06-10 11:58 UTC by Alexey Tikhonov
Modified:	2023-10-07 10:10 UTC (History)
CC List:	9 users (show)
Fixed In Version:	sssd-2.3.0-3.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-04 02:05:17 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
screen shot of verification (14.74 KB, image/png) 2020-08-17 15:08 UTC, Scott Poore	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Github	SSSD sssd pull 5196	None	closed	ipa: add failover to subdomain override lookups	2020-11-01 15:57:08 UTC
Red Hat Issue Tracker	SSSD-2536	None	None	None	2023-10-07 10:10:33 UTC
Red Hat Issue Tracker	SSSD-2572	None	None	None	2023-10-07 10:10:45 UTC
Red Hat Issue Tracker	SSSD-2681	None	None	None	2023-10-07 10:10:39 UTC
Red Hat Product Errata	RHBA-2020:4569	None	None	None	2020-11-04 02:05:36 UTC

Description Alexey Tikhonov 2020-06-10 11:58:30 UTC

This bug was initially created as a copy of Bug #1605781

I am copying this bug because: to track fix for RHEL8



Description of problem:

gdm smart card authentication does not appear to work when off-line.  It is working on EL7.5.

Version-Release number of selected component (if applicable):
sssd-1.16.2-4.fc28.2.x86_64 - custom version with override_homedir fix applied.
gdm-3.28.2-1.fc28.x86_64


How reproducible:
Pretty consistently shortly after disconnecting the network.  I have seen it work though.

Steps to Reproduce:
1. disconnect network
2. try to authenticate with smart card
3.

Actual results:
authentication fails

Expected results:
authentication works

Additional info:

The actual authentication works:
Jul 20 10:17:16 bld-pc1.cora.nwra.com gdm-smartcard][17304]: pam_sss(gdm-smartcard:auth): authentication success; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=orion.com

But authorization does not:
Jul 20 10:17:16 bld-pc1.cora.nwra.com gdm-smartcard][17304]: GdmSessionWorker: determining if authenticated user (password required:0) is authorized to session
Jul 20 10:17:29 bld-pc1.cora.nwra.com gdm-smartcard][17304]: GdmSessionWorker: user is not authorized to log in: Authentication service cannot retrieve authentication info

(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_AUTHENTICATE
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_print_data] (0x0100): domain: ad.nwra.com
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_print_data] (0x0100): user: orion.com
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_print_data] (0x0100): service: gdm-smartcard
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/tty1
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 4
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 17304
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_print_data] (0x0100): logon name: orion.com
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x562ae90cd8e0
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_dom_forwarder] (0x0100): pam_dp_send_req returned 0
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x562ae90cd8e0
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_dp_process_reply] (0x0200): received: [9 (Authentication service cannot retrieve authentication info)][ad.nwra.com]
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [9]: Authentication service cannot retrieve authentication info.
(Fri Jul 20 10:17:15 2018) [sssd[pam]] [pam_reply] (0x0040): Backend cannot handle Smartcard authentication, trying local Smartcard authentication.


(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [fo_resolve_service_send] (0x0020): No available servers for service 'IPA'
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [be_resolve_server_done] (0x1000): Server resolution failed: [5]: Input/output error
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [be_mark_dom_offline] (0x1000): Marking subdomain ad.nwra.com offline
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [be_mark_subdom_offline] (0x1000): Marking subdomain ad.nwra.com as inactive
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [17536]
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [child_handler_setup] (0x2000): Signal handler set up for pid [17536]
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [write_pipe_handler] (0x0400): All data has been sent!
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [read_pipe_handler] (0x0400): EOF received, client finished
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [parse_krb5_child_response] (0x1000): child response [0][3][36].
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [fo_set_port_status] (0x0100): Marking port 0 of server 'europa.nwra.com' as 'working'
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [set_server_common_status] (0x0100): Marking server 'europa.nwra.com' as 'working'
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [fo_set_port_status] (0x0400): Marking port 0 of duplicate server 'europa.nwra.com' as 'working'
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [sysdb_set_entry_attr] (0x0200): Entry [name=orion.com,cn=users,cn=ad.nwra.com,cn=sysdb] has set [ts_cache] attrs.
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [krb5_auth_done] (0x0100): Backend is marked offline, retry later!
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [check_wait_queue] (0x1000): Wait queue for user [orion.com] is empty.
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x559b44e43150] done.
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [dp_req_done] (0x0400): DP Request [PAM Authenticate #6]: Request handler finished [0]: Success
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [_dp_req_recv] (0x0400): DP Request [PAM Authenticate #6]: Receiving request data.
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [dp_req_destructor] (0x0400): DP Request [PAM Authenticate #6]: Request removed.
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
(Fri Jul 20 10:17:15 2018) [sssd[be[nwra.com]]] [dp_pam_reply] (0x1000): DP Request [PAM Authenticate #6]: Sending result [9][ad.nwra.com]


(Fri Jul 20 10:17:38 2018) [sssd[be[nwra.com]]] [krb5_auth_done] (0x0100): Backend is marked offline, retry later!
(Fri Jul 20 10:17:38 2018) [sssd[be[nwra.com]]] [check_wait_queue] (0x1000): Wait queue for user [orion.com] is empty.
(Fri Jul 20 10:17:38 2018) [sssd[be[nwra.com]]] [krb5_auth_queue_done] (0x1000): krb5_auth_queue request [0x559b44ebd5e0] done.
(Fri Jul 20 10:17:38 2018) [sssd[be[nwra.com]]] [dp_req_done] (0x0400): DP Request [PAM Preauth #11]: Request handler finished [0]: Success
(Fri Jul 20 10:17:38 2018) [sssd[be[nwra.com]]] [_dp_req_recv] (0x0400): DP Request [PAM Preauth #11]: Receiving request data.
(Fri Jul 20 10:17:38 2018) [sssd[be[nwra.com]]] [dp_req_destructor] (0x0400): DP Request [PAM Preauth #11]: Request removed.
(Fri Jul 20 10:17:38 2018) [sssd[be[nwra.com]]] [dp_req_destructor] (0x0400): Number of active DP request: 1
(Fri Jul 20 10:17:38 2018) [sssd[be[nwra.com]]] [dp_pam_reply] (0x1000): DP Request [PAM Preauth #11]: Sending result [9][ad.nwra.com]


I don't know if gdm is supposed to better handle the pam error, or sssd should be quicker about switching to offline authentication and not returning result code 9 in the first place.

Comment 1 Pavel Březina 2020-06-18 10:21:43 UTC

Pushed PR: https://github.com/SSSD/sssd/pull/5196

* `master`
    * df632eec450791559a4a7644f241964397c10ff9 - ipa: add failover to subdomain override lookups
* `sssd-1-16`
    * 510f154b02f2c059aeb0c1a28f3a5f83ceca662c - ipa: add failover to subdomain override lookups

Comment 8 Scott Poore 2020-08-17 15:08:03 UTC

Created attachment 1711628 [details]
screen shot of verification

Verified.

Version ::

sssd-2.3.0-7.el8.x86_64

Results ::

To test with network down, I had to use virt-viewer so screen shot attached.

But, test was:

su - ipauser1 -c 'su - ipauser1 -c whoami'
ifdown ens3
su - ipauser1 -c 'su - ipauser1 -c whoami'

Comment 11 errata-xmlrpc 2020-11-04 02:05:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4569

Note You need to log in before you can comment on or make changes to this bug.