Hi.
I am able to reproduce this problem on Fedora 32 (sssd-2.2.3-20), however I am not able to reproduce this on CentOS 8 (sssd-2.3.1-2). This suggests the problem was introduced somewhere between sssd 2.2.3 and 2.3.1.
Config on both systems is the same - machines added to IPA domain, user account has both cert configured for PKINIT and OTP.
Attempting to log in on CentOS 8 displays prompt for Smart Card PIN, attempting to log in on Fedora 32 displays prompt for OTP factors.
I've tried to analyze the problem and it seems that sss_krb5_prompter always tries otp on Fedora, even though p11_child finishes successfully and returns the correct user certificate.
On CentOS 8:
(Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit. (...) (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143791: Upgrading to FAST due to presence of PA_FX_FAST in reply (...) (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143815: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-P K-AS-REQ_OLD (14), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-FX-COOKIE (133), PA-FX-ERROR (137) (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143816: Received cookie: MIT (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_krb5_responder] (0x4000): Got question [pkinit]. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=/usr/lib64/pkcs11/opensc-pkcs11.so:slotid=0:token=rkujawa] flags [0]. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [answer_pkinit] (0x4000): Setting pkinit_prompting. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143817: Preauth module pkinit (147) (info) returned: 0/Success (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_krb5_prompter] (0x4000): Prompt [0][rkujawa PIN]. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts.
On Fedora 32:
(2020-09-09 21:18:16): [krb5_child[1823]] [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit. (...) (2020-09-09 21:18:16): [krb5_child[1823]] [sss_child_krb5_trace_cb] (0x4000): [1823] 1599679096.050398: Upgrading to FAST due to presence of PA_FX_FAST in reply (...) (2020-09-09 21:18:16): [krb5_child[1823]] [sss_child_krb5_trace_cb] (0x4000): [1823] 1599679096.050422: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-FX-COOKIE (133), PA-FX-ERROR (137) (2020-09-09 21:18:16): [krb5_child[1823]] [sss_child_krb5_trace_cb] (0x4000): [1823] 1599679096.050423: Received cookie: MIT (2020-09-09 21:18:16): [krb5_child[1823]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Vendor [(null)]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Token-ID [(null)]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Challenge [(null)]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Flags [1]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x2000): Exit answer_otp during pre-auth. (2020-09-09 21:18:16): [krb5_child[1823]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [11] during pre-auth. (2020-09-09 21:18:16): [krb5_child[1823]] [k5c_send_data] (0x0200): Received error code 0 (2020-09-09 21:18:16): [krb5_child[1823]] [pack_response_packet] (0x2000): response packet size: [15] (2020-09-09 21:18:16): [krb5_child[1823]] [k5c_send_data] (0x4000): Response sent. (2020-09-09 21:18:16): [krb5_child[1823]] [main] (0x0400): krb5_child completed successfully
This results in PIN never being asked on Fedora.
Unfortunately at this moment I am not able to deliver full logs. Hopefully Jan will send full logs from his setup ;).
Best regards, Radoslaw
On Wed, Sep 09, 2020 at 09:55:12PM +0200, Radek Kujawa via FreeIPA-users wrote:
Hi.
I am able to reproduce this problem on Fedora 32 (sssd-2.2.3-20), however I am not able to reproduce this on CentOS 8 (sssd-2.3.1-2). This suggests the problem was introduced somewhere between sssd 2.2.3 and 2.3.1.
Config on both systems is the same - machines added to IPA domain, user account has both cert configured for PKINIT and OTP.
Attempting to log in on CentOS 8 displays prompt for Smart Card PIN, attempting to log in on Fedora 32 displays prompt for OTP factors.
I've tried to analyze the problem and it seems that sss_krb5_prompter always tries otp on Fedora, even though p11_child finishes successfully and returns the correct user certificate.
Hi,
thanks for the logs, it helps me to understand what is going on. Can you send the version of the krb5-libs package you are using on CentOS-8 and F32 as well?
bye, Sumit
On CentOS 8:
(Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit. (...) (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143791: Upgrading to FAST due to presence of PA_FX_FAST in reply (...) (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143815: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-P K-AS-REQ_OLD (14), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-FX-COOKIE (133), PA-FX-ERROR (137) (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143816: Received cookie: MIT (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_krb5_responder] (0x4000): Got question [pkinit]. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=/usr/lib64/pkcs11/opensc-pkcs11.so:slotid=0:token=rkujawa] flags [0]. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [answer_pkinit] (0x4000): Setting pkinit_prompting. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143817: Preauth module pkinit (147) (info) returned: 0/Success (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_krb5_prompter] (0x4000): Prompt [0][rkujawa PIN]. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts.
On Fedora 32:
(2020-09-09 21:18:16): [krb5_child[1823]] [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit. (...) (2020-09-09 21:18:16): [krb5_child[1823]] [sss_child_krb5_trace_cb] (0x4000): [1823] 1599679096.050398: Upgrading to FAST due to presence of PA_FX_FAST in reply (...) (2020-09-09 21:18:16): [krb5_child[1823]] [sss_child_krb5_trace_cb] (0x4000): [1823] 1599679096.050422: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-FX-COOKIE (133), PA-FX-ERROR (137) (2020-09-09 21:18:16): [krb5_child[1823]] [sss_child_krb5_trace_cb] (0x4000): [1823] 1599679096.050423: Received cookie: MIT (2020-09-09 21:18:16): [krb5_child[1823]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Vendor [(null)]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Token-ID [(null)]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Challenge [(null)]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Flags [1]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x2000): Exit answer_otp during pre-auth. (2020-09-09 21:18:16): [krb5_child[1823]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [11] during pre-auth. (2020-09-09 21:18:16): [krb5_child[1823]] [k5c_send_data] (0x0200): Received error code 0 (2020-09-09 21:18:16): [krb5_child[1823]] [pack_response_packet] (0x2000): response packet size: [15] (2020-09-09 21:18:16): [krb5_child[1823]] [k5c_send_data] (0x4000): Response sent. (2020-09-09 21:18:16): [krb5_child[1823]] [main] (0x0400): krb5_child completed successfully
This results in PIN never being asked on Fedora.
Unfortunately at this moment I am not able to deliver full logs. Hopefully Jan will send full logs from his setup ;).
Best regards, Radoslaw
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Can you send the version of the krb5-libs package you are using on CentOS-8 and F32 as well?
F32: krb5-libs-1.18.2-20.fc32.x86_64 CentOS 8: krb5-libs-1.17-18.el8.x86_64
Btw. I have downgraded SSSD to 2.2.3 on F32, but the problem persist. In my original email I have switched around SSSD versions used on CentOS and Fedora. But now I have the same version on both, so I guess my theory about it being a problem with SSSD could have been wrong:
F32: sssd-2.2.3-13.fc32.x86_64 CentOS 8: sssd-2.2.3-20.el8.x86_64
Best regards, Radoslaw
On Thu, Sep 10, 2020 at 11:13:51AM +0200, Radoslaw Kujawa via FreeIPA-users wrote:
Can you send the version of the krb5-libs package you are using on CentOS-8 and F32 as well?
F32: krb5-libs-1.18.2-20.fc32.x86_64 CentOS 8: krb5-libs-1.17-18.el8.x86_64
Btw. I have downgraded SSSD to 2.2.3 on F32, but the problem persist. In my original email I have switched around SSSD versions used on CentOS and Fedora. But now I have the same version on both, so I guess my theory about it being a problem with SSSD could have been wrong:
Hi,
the issue is on the SSSD side. I assume the order the pre-authentication methods are returned by libkrb5 has changed. So far SSSD implicitly assume that PKINIT comes first and hence did not enforce the order. I will add some code to make sure PKINIT is preferred over OTP and password if a Smartcard is present.
bye, Sumit
F32: sssd-2.2.3-13.fc32.x86_64 CentOS 8: sssd-2.2.3-20.el8.x86_64
Best regards, Radoslaw _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi.
On 9/10/20 12:17 PM, Sumit Bose via FreeIPA-users wrote:
So far SSSD implicitly assume that PKINIT comes first and hence did not enforce the order. I will add some code to make sure PKINIT is preferred over OTP and password if a Smartcard is present.
Awesome, please let me know when the code is present in SSSD repo. I will build it and test.
Best regards,
Radoslaw
On Thu, Sep 10, 2020 at 02:04:52PM +0200, Radosław Kujawa via FreeIPA-users wrote:
Hi.
On 9/10/20 12:17 PM, Sumit Bose via FreeIPA-users wrote:
So far SSSD implicitly assume that PKINIT comes first and hence did not enforce the order. I will add some code to make sure PKINIT is preferred over OTP and password if a Smartcard is present.
Awesome, please let me know when the code is present in SSSD repo. I will build it and test.
Hi,
just to be on the safe side, have you installed the krb5-pkinit package on Fedora 32?
bye, Sumit
Best regards,
Radoslaw
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi.
On 9/10/20 5:31 PM, Sumit Bose via FreeIPA-users wrote:
just to be on the safe side, have you installed the krb5-pkinit package on Fedora 32?
Sigh... the krb5-pkinit was somehow absent on Fedora 32. Thank you for help and sorry for the noise.
Although, could SSSD somehow detect this situation? I mean, when Smart card credentials are present, but Kerberos PKINIT library is absent? An appropriate error message would save a lot of time spent on debugging this ;).
I will coordinate with Jan to check if it is the same problem on his Ubuntu.
Best regards, Radoslaw
On 9/10/20 6:48 PM, Radoslaw Kujawa via FreeIPA-users wrote:
I will coordinate with Jan to check if it is the same problem on his Ubuntu.
Indeed, all of these problems boil down to a missing krb5-pkinit package.
I was confused, because even though krb5-pkinit was missing, the Smart Card authentication _was_ working (when OTP was disabled). So it didn't occur to me that could be the cause.
Best regards, Radoslaw
On Fri, Sep 11, 2020 at 07:30:53PM +0200, Radoslaw Kujawa via FreeIPA-users wrote:
On 9/10/20 6:48 PM, Radoslaw Kujawa via FreeIPA-users wrote:
I will coordinate with Jan to check if it is the same problem on his Ubuntu.
Indeed, all of these problems boil down to a missing krb5-pkinit package.
I was confused, because even though krb5-pkinit was missing, the Smart Card authentication _was_ working (when OTP was disabled). So it didn't occur to me that could be the cause.
Hi,
if OTP is not available and a Smartcard is available SSSD prefers the Smartcard or password authentication (everything is better than a password) and switches to local/offline Smartcard authentication. In this case you won't get a Kerbers TGT but you will be authenticated based on the inserted Smartcard and your knowledge of the PIN. This is the same scheme used if the system is offline.
About adding a warning that krb5-pkinit is missing, that would be possible. But since there are valid use-cases where the pkinit module is missing, e.g. the server side does not support pkinit, I think this message would be only shown in the SSSD logs with a certain debug_level. Do you think this would help?
bye, Sumit
Best regards, Radoslaw _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi.
On 9/15/20 11:54 AM, Sumit Bose via FreeIPA-users wrote:
About adding a warning that krb5-pkinit is missing, that would be possible. But since there are valid use-cases where the pkinit module is missing, e.g. the server side does not support pkinit, I think this message would be only shown in the SSSD logs with a certain debug_level. Do you think this would help?
It would definitely be better than current situation. If anyone runs into this problem in the future, even a debug message would help.
Best regards, Radoslaw
freeipa-users@lists.fedorahosted.org