________________________________________ From: Sumit Bose <sb...@redhat.com> Sent: Friday, November 1, 2019 8:12 AM To: sssd-users@lists.fedorahosted.org Subject: [EXTERNAL] [SSSD-users] Re: Fedora 30 and 31 instant fail at gdm login greeter PIN prompt
On Thu, Oct 31, 2019 at 04:38:23PM +0000, Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC] wrote: > Hello, > > pam.d/system-auth > > auth [success=done authinfo_unavail=ignore ignore=ignore default=die] > pam_sss.so try_cert_auth > > pam.d/smartcard-auth > > auth [default=1 ignore=ignore success=ok] pam_succeed_if.so > uid >= 1000 quiet > auth sufficient pam_sss.so > ignore_authinfo_unavail require_cert_auth > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so > uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session [success=1 default=ignore] pam_succeed_if.so > service in crond quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > > etc/sssd/sssd.conf > [sssd] > services = nss, pam > domains = files > > [nss] > > [pam] > pam_cert_auth = True > pam_cert_db_path = /etc/sssd/pki/<cert>.pem > debug_level = 4 > > [domain/files] > id_provider = files > > [certmap/files/<user>] > matchrule = <EKU>msScLogin<SUBJECT>^.*,UID=<user>,.*$ > > > gdm.d/greeter-login > enable-smartcard-authentication=true > enable-fingerprint-authentication=false > enable-password-authentication=false > > > Reboot and get Card PIN user prompt gdm-login-greeter -> add username and > click next > > Get Prompted for PIN but after a second it just fails and goes back to asking > for username. > > Has anyone run into this behaviour, suggestions, fix? Hi, does it work with other services than gdm, like e.g. the console login or su? Hi Sumit, yes it works with other services and logging into PIV websites Can you send the SSSD debug logs? You currently have 'debug_level = 4' in the [pam] section. This might help for a start but it might help to avoid some round-trips if you can set 'debug_level = 9' to the [pam] and [domain/files] section, restart SSSD and run the login test again before sending the logs. On debug=4 the logs just repeat this: (Fri Nov 1 08:54:50:113927 2019) [sssd] [confdb_ldif_from_ini_file] (0x0020): Permission check on config file failed. (Fri Nov 1 08:54:50:113983 2019) [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1]: [Operation not permitted] (Fri Nov 1 08:54:50:113994 2019) [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1]: Operation not permitted (Fri Nov 1 08:54:50:114015 2019) [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1]: Operation not permitted (Fri Nov 1 08:54:50:114024 2019) [sssd] [main] (0x0020): Cannot read config file /etc/sssd/sssd.conf. Please check that the file is accessible only by the owner and owned by root.root. -rw-r--r--. 1 root root 343 Oct 31 11:16 /etc/sssd/sssd.conf made it 640 instead <- guessing that is correct Will set debug=9 and retest bye. Sumit > > Seems to be a reoccurring issue I have seen in +F28, +CentOS7 and +RHEL7 > basically anything with obsolete coolkey pkcs11 authconfig. > > Thanks, > Brad > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=-FUI3r0e0wQ0tL18ia_a3kv8FTiOwDeg-mJtd11gLgk&e= > List Guidelines: > https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=ZwRja4O1CGlcmPN83-KMLZX1Oitn-1iW_bzzxc6EjJk&e= > List Archives: > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_sssd-2Dusers-40lists.fedorahosted.org&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=Tiqmt5yDzJvro-PMRlpW5tcbBt597ePq__OfL9PbRWQ&e= _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=-FUI3r0e0wQ0tL18ia_a3kv8FTiOwDeg-mJtd11gLgk&e= List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=ZwRja4O1CGlcmPN83-KMLZX1Oitn-1iW_bzzxc6EjJk&e= List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_sssd-2Dusers-40lists.fedorahosted.org&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=Tiqmt5yDzJvro-PMRlpW5tcbBt597ePq__OfL9PbRWQ&e= _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org