On Fri, Nov 01, 2019 at 01:45:07PM +0000, Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC] wrote: > > > ________________________________________ > From: Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC] > <bradley.v.zy...@nasa.gov> > Sent: Friday, November 1, 2019 9:17 AM > To: sssd-users@lists.fedorahosted.org > Subject: [non-nasa source] [SSSD-users] Re: [EXTERNAL] Re: Fedora 30 and 31 > instant fail at gdm login greeter PIN prompt > > > > ________________________________________ > From: Sumit Bose <sb...@redhat.com> > Sent: Friday, November 1, 2019 8:12 AM > To: sssd-users@lists.fedorahosted.org > Subject: [EXTERNAL] [SSSD-users] Re: Fedora 30 and 31 instant fail at gdm > login greeter PIN prompt > > On Thu, Oct 31, 2019 at 04:38:23PM +0000, Zynda, Bradley V. > (GSFC-423.0)[ADNET SYSTEMS INC] wrote: > > Hello, > > > > pam.d/system-auth > > > > auth [success=done authinfo_unavail=ignore ignore=ignore > > default=die] pam_sss.so try_cert_auth > > > > pam.d/smartcard-auth > > > > auth [default=1 ignore=ignore success=ok] pam_succeed_if.so > > uid >= 1000 quiet > > auth sufficient pam_sss.so > > ignore_authinfo_unavail require_cert_auth > > auth required pam_deny.so > > > > account required pam_unix.so > > account sufficient pam_localuser.so > > account sufficient pam_succeed_if.so > > uid < 1000 quiet > > account [default=bad success=ok user_unknown=ignore] pam_sss.so > > account required pam_permit.so > > > > session optional pam_keyinit.so > > revoke > > session required pam_limits.so > > -session optional pam_systemd.so > > session [success=1 default=ignore] pam_succeed_if.so > > service in crond quiet use_uid > > session required pam_unix.so > > session optional pam_sss.so > > > > > > etc/sssd/sssd.conf > > [sssd] > > services = nss, pam > > domains = files > > > > [nss] > > > > [pam] > > pam_cert_auth = True > > pam_cert_db_path = /etc/sssd/pki/<cert>.pem > > debug_level = 4 > > > > [domain/files] > > id_provider = files > > > > [certmap/files/<user>] > > matchrule = <EKU>msScLogin<SUBJECT>^.*,UID=<user>,.*$ > > > > > > gdm.d/greeter-login > > enable-smartcard-authentication=true > > enable-fingerprint-authentication=false > > enable-password-authentication=false > > > > > > Reboot and get Card PIN user prompt gdm-login-greeter -> add username and > > click next > > > > Get Prompted for PIN but after a second it just fails and goes back to > > asking for username. > > > > Has anyone run into this behaviour, suggestions, fix? > > Hi, > > does it work with other services than gdm, like e.g. the console login > or su? > > Hi Sumit, yes it works with other services and logging into PIV websites > > Can you send the SSSD debug logs? You currently have 'debug_level = 4' > in the [pam] section. This might help for a start but it might help to > avoid some round-trips if you can set 'debug_level = 9' to the [pam] and > [domain/files] section, restart SSSD and run the login test again before > sending the logs. > > On debug=4 the logs just repeat this: > > (Fri Nov 1 08:54:50:113927 2019) [sssd] [confdb_ldif_from_ini_file] > (0x0020): Permission check on config file failed. > (Fri Nov 1 08:54:50:113983 2019) [sssd] [confdb_init_db] (0x0020): Cannot > convert INI to LDIF [1]: [Operation not permitted] > (Fri Nov 1 08:54:50:113994 2019) [sssd] [confdb_setup] (0x0010): ConfDB > initialization has failed [1]: Operation not permitted > (Fri Nov 1 08:54:50:114015 2019) [sssd] [load_configuration] (0x0010): > Unable to setup ConfDB [1]: Operation not permitted > (Fri Nov 1 08:54:50:114024 2019) [sssd] [main] (0x0020): Cannot read config > file /etc/sssd/sssd.conf. Please check that the file is accessible only by > the owner and owned by root.root. > > -rw-r--r--. 1 root root 343 Oct 31 11:16 /etc/sssd/sssd.conf > > made it 640 instead <- guessing that is correct > > Will set debug=9 and retest > > Hi Sumit retested with debug 9 and still the same errors in var/log: > > (Fri Nov 1 09:28:20:676656 2019) [sssd] [confdb_ldif_from_ini_file] > (0x0020): Permission check on config file failed. > (Fri Nov 1 09:28:20:676713 2019) [sssd] [confdb_init_db] (0x0020): Cannot > convert INI to LDIF [1]: [Operation not permitted] > (Fri Nov 1 09:28:20:676724 2019) [sssd] [confdb_setup] (0x0010): ConfDB > initialization has failed [1]: Operation not permitted > (Fri Nov 1 09:28:20:676746 2019) [sssd] [load_configuration] (0x0010): > Unable to setup ConfDB [1]: Operation not permitted > (Fri Nov 1 09:28:20:676757 2019) [sssd] [main] (0x0020): Cannot read config > file /etc/sssd/sssd.conf. Please check that the file is accessible only by > the owner and owned by root. > > and the other logs have a similar entry: > > (Thu Oct 31 11:29:26 2019) [sssd[be[implicit_files]]] [orderly_shutdown] > (0x0010): SIGTERM: killing children > > Installed Packages > sssd.x86_64 2.2.2-1.fc31 > @anaconda > > -rw-r-----. 1 root root 343 Nov 1 09:20 /etc/sssd/sssd.conf
Hi, just make it 0600. HTH bye, Sumit > > I also verified I do not get prompted for PIN at TTY(fn+f2) for sudo or su, > just password. > > Thanks, > Brad > > > > bye. > Sumit > > > > > Seems to be a reoccurring issue I have seen in +F28, +CentOS7 and +RHEL7 > > basically anything with obsolete coolkey pkcs11 authconfig. > > > > Thanks, > > Brad > > _______________________________________________ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=-FUI3r0e0wQ0tL18ia_a3kv8FTiOwDeg-mJtd11gLgk&e= > > List Guidelines: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=ZwRja4O1CGlcmPN83-KMLZX1Oitn-1iW_bzzxc6EjJk&e= > > List Archives: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_sssd-2Dusers-40lists.fedorahosted.org&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=Tiqmt5yDzJvro-PMRlpW5tcbBt597ePq__OfL9PbRWQ&e= > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=-FUI3r0e0wQ0tL18ia_a3kv8FTiOwDeg-mJtd11gLgk&e= > List Guidelines: > https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=ZwRja4O1CGlcmPN83-KMLZX1Oitn-1iW_bzzxc6EjJk&e= > List Archives: > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_sssd-2Dusers-40lists.fedorahosted.org&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=Tiqmt5yDzJvro-PMRlpW5tcbBt597ePq__OfL9PbRWQ&e= > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=HzEYUQQ-BtsowolHGTB57AFTpLUJilewWUyCPlMynUM&s=1PgRth9rEVTB8efdAXmBMth6NZx9c6uKpDhils6KGzo&e= > List Guidelines: > https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=HzEYUQQ-BtsowolHGTB57AFTpLUJilewWUyCPlMynUM&s=w5apbqgagiRAvE2MqNxqqovwHl5w8N3U3Y6CuwnjdWU&e= > List Archives: > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_sssd-2Dusers-40lists.fedorahosted.org&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=HzEYUQQ-BtsowolHGTB57AFTpLUJilewWUyCPlMynUM&s=qAGRcgSNENBXXUqodsgCcBabx-f4UbIuhXq-Vv4o33M&e= > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org