Description of problem: I have set up a sssd / pam authentication via a pkcs15 certificate stored on a Nitrokey Pro smartcard. Everything worked until doing a dfn update which upgraded sssd to version 2.9.3. Downgrading sssd-dbus and its dependencies to version 2.9.2 made things working again. Version-Release number of selected component (if applicable): sssd-2.9.3-1.fc39.x86_64 How reproducible: Steps to Reproduce: 1. dnf update 2. Using pamtester to check login and authentication procedure: pamtester login $USER authenticate 3. Giving the user pin of the card leads to: pamtester: Authentication failure 4. Giving the user's password leads to: pamtester: successfully authenticated 5. Downgrading sssd-dbus sudo dnf install sssd-dbus-2.9.2 6. Using pamtester to check login and authentication procedure: pamtester login $USER authenticate PIN for OpenPGP card (User PIN): pamtester: successfully authenticated Actual results: User not able to authenticate with pkcs15 certificate via smartcard Expected results: User should be able to authenticate with pkcs15 certificate via smartcard Additional info: --
Could you please provide '/var/log/sssd/p11_child.log' that covers failed attempt?
Created attachment 2001675 [details] p11_child.log requested in comment #1
Is this a local user (from /etc/passwd)? Unfortunately, there is no enough information with the default debug level. Could you please add 'debug_level = 9' to the '[pam]' section of 'sssd.conf', clear SSSD logs and restart SSSD, repeat attempt and then provide sanitized 'p11_child.log' and 'sssd_pam.log'? And relevant parts of sssd.conf itself, if possible.
Hi Alexey, yes indeed it is a local user from /etc/passwd. My sssd.conf with looks like ----------------------- [sssd] enable_files_domain = True services = nss, pam domains = shadowutils debug_level = 9 [nss] [pam] pam_cert_auth = True pam_verbosity = 10 debug_level = 9 [domain/shadowutils] id_provider = files auth_provider = proxy proxy_pam_target = sssd-shadowutils proxy_fast_alias = True debug_level = 9 [certmap/shadowutils/<snip>My user_id<snap>] matchrule = <SUBJECT>.*CN=<snip>My user_id<snap> ----------------------- The logs should contain two attempts to access the smartcard triggered by pamtester: In the first one I gave the password, pamtester login $USER authenticate Password: pamtester: successfully authenticated In the second one I tried the user key of the smartcard which returned: pamtester login $USER authenticate Password: pamtester: Authentication failure
Created attachment 2001678 [details] Extended p11_child.log requested in comment #4
Created attachment 2001679 [details] sssd_pam.log requested in comment #4
Hi, can you try if adding local_auth_policy = enable:smartcard to the [domain/...] section in sssd.conf and restarting SSSD will help? bye, Sumit
Hi, that did the trick! Now everything works again as expected. Thanks for the fast support, Ralf
One more question, any reason you use ``` id_provider = files ``` and not ``` id_provider = proxy proxy_lib_name = files ``` ? Take a note 'id_provider = files' is a deprecated functionality and most probably will be gone starting F40.
Actually there is no special reason besides the fact that I glued the thing together based on rather old HowTo as I now realized. I now changed to id_provider = proxy proxy_lib_name = files and still everything works as expected. Thanks a lot for the hint!