Am Fri, Feb 03, 2023 at 07:16:58PM -0000 schrieb r0 nam1 via FreeIPA-users: > Apologies for my previous thread mess, I've learned to keep it neat. > > In following my previous thread > (https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/FYZFFHQ573REKTXHJK5DZU3RET76X7LA/) > > > I've discovered what I believe to be the issue when trying to login with > Smartcards. When running kinit already logged in it can prompt for a pin and > successfully use that data to verify the certificate. Then when trying to > login from tty1 with pam_sss.so require_cert_auth present, the krb5 child > attempts to kinit: > ''' > DEBUG(SSSDBG_TRACE_FUNC, > "Attempting kinit for realm [%s]\n",realm_name); > kerr = kr->krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, > password_or_responder(password), > sss_krb5_prompter, kr, 0, NULL, > kr->options); > if (kr->pd->cmd == SSS_PAM_PREAUTH && kerr != KRB5KDC_ERR_KEY_EXP) { > /* Any errors except KRB5KDC_ERR_KEY_EXP are ignored during pre-auth, > * only data is collected to be send back to the client. > * KRB5KDC_ERR_KEY_EXP must be handled separately to figure out the > * possible authentication methods to update the password. */ > DEBUG(SSSDBG_TRACE_FUNC, > "krb5_get_init_creds_password returned [%d] during pre-auth.\n", > kerr); > return 0; > } else { > if (kerr != 0) { > KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); > ''' > https://github.com/SSSD/sssd/blob/master/src/providers/krb5/krb5_child.c > > Looking at the source code for the process I've come to the conslusion that > for SOME REASON, the kinit pin prompt fails after entering my Username, > Password, then prompting for a smartcard. > It seems like p11_child sees the smartcard inserted, lets the krb5_child run, > and somehow fails when prompting for a pin. Even though the child 'fails' the > login is never denied with any smartcard, one just needs to be present, the > side effect of this is that a Kerberos ticket is never granted, but the Login > does succeed.
Hi, for Smartcard authentication with PKINIT SSSD does two runs. First by running p11_child to check if a Smartcard is present and then calling krb5_child to check if the KDC offers PKINIT at all. Only if both conditions are met SSSD will prompt for a Smartcard PIN in the second run. Otherwise it might ask for other credentials depending which authentication methods are found by krb5_child. The snippet you posted above is mainly for the first run which happens before SSSD would ask for a PIN. Please add 'debug_level = 9' to the [pam] and [domain/...] section, restart SSSD, try to login again and send all the logs from /var/log/sssd for further inspection. HTH bye, Sumit > > Unfortunately that's everything I've been able to find, anyone able to help > with the info I've provided? > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
