Sssd-maintainers June 2023

sssd-maintainers@lists.fedoraproject.org

1 participants
6 discussions

[Bug 1886841] New: Pinpad card reader for login authentication yet you are asked also enter pin on pc keyboard
by bugzilla＠redhat.com 08 Nov '24

08 Nov '24

https://bugzilla.redhat.com/show_bug.cgi?id=1886841 Bug ID: 1886841 Summary: Pinpad card reader for login authentication yet you are asked also enter pin on pc keyboard Product: Fedora Version: 32 Hardware: x86_64 URL: https://lists.fedoraproject.org/archives/list/freeipa- users(a)lists.fedorahosted.org/thread/FLLIA5RLHT3MO4NI2F 3MJNMBBNGGZA4Z/ OS: Linux Status: NEW Component: sssd Severity: high Assignee: sssd-maintainers(a)lists.fedoraproject.org Reporter: peter(a)unix-edu.se QA Contact: extras-qa(a)fedoraproject.org CC: abokovoy(a)redhat.com, atikhono(a)redhat.com, jhrozek(a)redhat.com, lslebodn(a)redhat.com, mzidek(a)redhat.com, pbrezina(a)redhat.com, rharwood(a)redhat.com, sbose(a)redhat.com, ssorce(a)redhat.com, sssd-maintainers(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Build Identifier: Hello Folks! We are working on getting smart card authentication working using pinpad card readers for improved security. To do this we use: FreeIPA Server is running on Fedora 32 with latest updates. FreeIPA Clients is Fedora 32 Workstation installed on pc with latest updates with connected usb card reader. The card reader is Gemalto CT700 with pinpad, we use several user individual SmartCard HSM 4K with FreeIPA signed certificates on them. FreeIPA Clients run OpenSC and are configured to use smartcard certificate based authentication, setup per Smartare HSM best practice. Further clients are using SSSD and not PAM_PKCS#11. All working great using smartcard for authentication, as long not enabling the pinpad in opensc. If doing so we are prompted for the PIN not only in the pinpad reader but also GDM prompts you to enter PIN on keyboard. Expected result is to be logged in directly after entering correct PIN code on pinpad reader, not being prompted by GDM to enter PIN on keyboard as well. If enabling pinpad in opensc, login gets a bit odd: 1. Fedora 32 Workstation GDM menu prompts a few users that can login. 2. Smartcard is inserted in reader. 3. GDM blanks out the screen and smartcard reader prompts to enter PIN in its lcd display. 4. Entering pin on smartcard reader followed by pressing ok button on smartcard reader at getting result Pin OK in reader display. 5. GDM now prompts for entering PIN on keyboard, this is unexpected, instead of directly being logged in to the window manager, here Gnome (or xfce, whatever window manager you selected to use). 6. You have to enter the PIN now on keyboard, followed by hitting enter. 7. Once again smartcard reader now prompts for PIN in its lcd display. 8. Entering PIN on the smartcard pinpad reader followed by pressing pinpad ok button. 9. You are now logged in, and all is normal. If ripping out the smartcard from reader the screen locks, as expected. Sometimes, but not always, you are logged in to window manager directly after step 5. What could this be, anyone who have seen this before or know how to set it up ? Reproducible: Always Steps to Reproduce: 1. Install and setup FreeIPA server and client on Fedora32 latest updates to use smartcard authentication for login. Work on IPA Server: ------------------- Install Fedora 32 server minimal installation all excluded, update to latest version (dnf update -y), set hostname, enter server hostname (ipaserver.mydomain.com) and ip in /etc/hosts, enable and start chrony, reboot. (As root user) dnf install ipa-server bind-dyndb-ldap ipa-server-dns -y for SERVICES in ntp http https ldap ldaps kerberos kpasswd dns; do firewall-cmd --permanent --add-service=$SERVICES; done ipa-server-install --setup-dns . . . Add one secondary DNS in /etc/NetworkManager/conf.d/zzz-ipa.conf klist kinit admin authselect select sssd with-sudo with-mkhomedir ipa user-add user3 --first=user3 --last=test --email=user3(a)mydomain.com --shell=/bin/bash --password id user3 ipa user-find user3 ssh user3(a)ipaserver.mydomain.com (change password) reboot (As root user) klist kinit admin ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh chmod u+x config-server-for-smart-card-auth.sh ./config-server-for-smart-card-auth.sh /etc/ipa/ca.crt . . reboot ipa-advise config-client-for-smart-card-auth > /tmp/config-client-for-smart-card-auth.sh chmod a+r /tmp/config-client-for-smart-card-auth.sh Work on Fedora 32 workstation: ------------------------------ Install Fedora 32 Workstation from live dvd to PC, update to latest version (dnf update -y), set hostname, enter server hostname (workstation.mydomain.com) and ip in /etc/hosts, enable and start chrony. change/add to /etc/sysconfig/network-scripts/reboot, so IPA server becomes primary DNS for the Fedora 32 Workstation: PEERDNS=no DNS1=<ipa server ip address> DNS2=<second dns server> SEARCH=mydomain.com DOMAIN=mydomain.com Then reboot Login and check that DNS is working. (as root user) dnf install freeipa-client.x86_64 -y ipa-client-install --mkhomedir id user3 reboot Connect gemalto CT700 card reader to pc/Fedora Workstation. lsusb dnf install opensc ccid pcsc-tools -y systemctl enable pcscd systemctl start pcscd scp user3@ipaserver:/tmp/config-client-for-smart-card-auth.sh . chmod +x config-client-for-smart-card-auth.sh ./config-client-for-smart-card-auth.sh /etc/ipa/ca.crt . . . In /etc/opensc.conf enable pinpad by uncommenting enable_pinpad = true; Ensure pam_cert_auth is true in sssd.conf: grep ^pam_cert_auth /etc/sssd/sssd.conf pam_cert_auth = True authselect select sssd with-mkhomedir with-sudo with-smartcard with-smartcard-lock-on-removal --force authselect current reboot 2. Prepare smartcard-hsm with user3 certificate using (as root user) kinit admin Insert smartcard-hsm in gemalto ct700 card reader! pcsc_scan Using reader plug'n play mechanism Scanning present readers... 0: Gemalto Ezio Shield (I<some number>) 00 00 Wed Sep 23 14:12:27 2020 Reader 0: Gemalto Ezio Shield (I<some number>) 00 00 . . . Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): <some hex number> Smartcard-HSM http://www.cardcontact.de/products/sc-hsm.html pensc-tool --list-readers # Detected readers (pcsc) Nr. Card Features Name 0 Yes PIN pad Gemalto Ezio Shield (I<some number>) 00 00 pkcs11-tool --list-slots Available slots: Slot 0 (0x0): Gemalto Ezio Shield (I<some number>) 00 00 token label : UserPIN (SmartCard-HSM) token manufacturer : www.CardContact.de token model : PKCS#15 emulated token flags : login required, PIN pad present, rng, token initialized, PIN initialized hardware version : 24.13 firmware version : 2.5 serial num : DECM<some number> pin min/max : 6/15 sc-hsm-tool --create-dkek-share dkek-share-1.pbe . . . sc-hsm-tool --initialize --so-pin <long pincode> --pin <pincode> --dkek-shares 1 sc-hsm-tool . . . DKEK shares : 1 DKEK import pending, 1 share(s) still missing sc-hsm-tool --import-dkek-share dkek-share-1.pbe . . . Enter password to decrypt DKEK share : <pincode> sc-hsm-tool . . . DKEK shares : 1 DKEK key check value : <some hex code> # generate keypair pkcs11-tool --module opensc-pkcs11.so --login --pin <pincode> --keypairgen --key-type rsa:2048 --id 10 --label "HSM RSA Key user3" pkcs11-tool --list-objects . . . pkcs11-tool --test --login --pin <pincode> . . . # Backup DKEK sc-hsm-tool --wrap-key wrap-key-1.bin --key-reference 1 --pin <pincode> # Extract card public key for slot 10 pkcs15-tool --read-public-key 10 > user3.pub # Prepping for and Create CSR to sign by IPA for user3 # Create a file hsm.conf with the content below cat hsm.conf # PKCS11 engine config openssl_conf = openssl_def [openssl_def] engines = engine_section [req] distinguished_name = req_distinguished_name [req_distinguished_name] # empty. [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 PIN = init = 0 # Test that hsm.conf is working, and find pkcs11 engine OPENSSL_CONF=./hsm.conf openssl engine (rdrand) Intel RDRAND engine (dynamic) Dynamic engine loading support (pkcs11) pkcs11 engine # Create CSR to sign by IPA for user3 OPENSSL_CONF=./hsm.conf openssl req -engine pkcs11 -keyform engine -new -key 10 -sha256 -out user3.csr -subj "/CN=user3" Login to IPA server using the web interface https://ipaserver.mydomain.com (this can be performed from command line as well, but we did use the web interface to IPA) user user3 Actions -> new certificate select profile IECuserRoles copy "user3.csr" from above and paste it in and click "issue" (IPA now sign the CSR) To retrieve the signed certificate for user3: user user3 by Certificates click Actions -> Download and save as. (it downloads as cert.pem) Copy the downloaded cerificate (cert.pem) to host with card reader (Fedora 32 Workstation) Rename it: mv cert.pem user3.pem # convert to der format: openssl x509 -in user3.pem -out user3.der -outform der # write it to the card in slot 10 pkcs11-tool --module opensc-pkcs11.so --login --pin <pincode> --write-object user36.der --type cert --id 10 # check that it is there: pkcs11-tool --list-objects Using slot 0 with a present token (0x0) Certificate Object; type = X.509 cert label: Certificate subject: DN: O=MYDOMAIN.COM, CN=user3 ID: 10 Public Key Object; RSA 2048 bits label: Certificate ID: 10 Usage: encrypt, verify Smartcard should now be ready for use with IPA. 3. Now try login to workstation.mydomain.com using GDM using the smartcard issued for user3 Note! user3 password must not have been expired, it should be fixed by the initial login test above. As per details above: 1. Fedora 32 Workstation GDM menu prompts a few users that can login. 2. Smartcard is inserted in reader. 3. GDM blanks out the screen and smartcard reader prompts to enter PIN in its lcd display. 4. Entering pin on smartcard reader followed by pressing ok button on smartcard reader at getting result Pin OK in reader display. 5. GDM now prompts for entering PIN on keyboard, this is unexpected, instead of directly being logged in to the window manager, here Gnome (or xfce, whatever window manager you selected to use). 6. You have to enter the PIN now on keyboard, followed by hitting enter. 7. Once again smartcard reader now prompts for PIN in its lcd display. 8. Entering PIN on the smartcard pinpad reader followed by pressing pinpad ok button. 9. You are now logged in, and all is normal. If ripping out the smartcard from reader the screen locks, as expected. Sometimes, but not always, you are logged in to window manager directly after step 5. Actual Results: You are asked to enter PIN using pinpad on card reader followed by enter PIN using the keyboard, then you are logged in. Sometimes you need to enter PIN on pinpad once more after entering PIN using the keyboard. Expected Results: Directly after entering correct PIN using pinpad on card reader you should be logged in. Versions: Fedora32 with latest updates per Oct 9 2020. freeipa-server-4.8.10-5.fc32.x86_64 freeipa-client-4.8.10-5.fc32.x86_64 sssd-client-2.3.1-2.fc32.x86_64 opensc-0.20.0-6.fc32.x86_64 pcsc-lite-libs-1.9.0-1.fc32.x86_64 -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.

1 13

[Bug 2214534] New: [abrt] sssd-common: __strcmp_avx2(): sssd_be killed by SIGSEGV
by bugzilla＠redhat.com 22 May '24

22 May '24

https://bugzilla.redhat.com/show_bug.cgi?id=2214534 Bug ID: 2214534 Summary: [abrt] sssd-common: __strcmp_avx2(): sssd_be killed by SIGSEGV Product: Fedora Version: 38 Hardware: x86_64 Status: NEW Whiteboard: abrt_hash:a07038fd78acc47fd66b266203cafebd50509e00;VAR IANT_ID=workstation; Component: sssd Assignee: sssd-maintainers(a)lists.fedoraproject.org Reporter: jortialc(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: abokovoy(a)redhat.com, atikhono(a)redhat.com, jhrozek(a)redhat.com, lslebodn(a)redhat.com, luk.claes(a)gmail.com, mzidek(a)redhat.com, pbrezina(a)redhat.com, sbose(a)redhat.com, ssorce(a)redhat.com, sssd-maintainers(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Description of problem: This happens when doing some privilege escalation like using sudo or the authentication required dialog in Gnome Version-Release number of selected component: sssd-common-2.9.0-1.fc38 Additional info: reporter: libreport-2.17.10 type: CCpp reason: sssd_be killed by SIGSEGV journald_cursor: s=025af2782fd445c2a5eb791571c74138;i=250aa;b=61468fbb4dd141e9b488d260f287c4ef;m=69ee27e2a;t=5fd9e17d98e50;x=b86133abd50e6842 executable: /usr/libexec/sssd/sssd_be cmdline: /usr/libexec/sssd/sssd_be --domain ipa.redhat.com --uid 0 --gid 0 --logger=files cgroup: 0::/system.slice/sssd.service rootdir: / uid: 0 kernel: 6.3.5-200.fc38.x86_64 package: sssd-common-2.9.0-1.fc38 runlevel: N 5 backtrace_rating: 4 crash_function: __strcmp_avx2 comment: This happens when doing some privilege escalation like using sudo or the authentication required dialog in Gnome Truncated backtrace: Thread no. 1 (21 frames) #0 __strcmp_avx2 at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:283 #1 be_resolve_server_process at src/providers/data_provider_fo.c:691 #2 be_resolve_server_done at src/providers/data_provider_fo.c:557 #3 fo_resolve_service_server at src/providers/fail_over.c:1169 #4 _tevent_req_error at ../../tevent_req.c:221 #5 resolve_srv_done at src/providers/fail_over.c:1480 #6 fo_discover_srv_done at src/providers/fail_over_srv.c:141 #7 resolv_getsrv_done at src/resolv/async_resolv.c:1877 #8 qcallback at /usr/src/debug/c-ares-1.19.1-1.fc38.x86_64/src/lib/ares_query.c:143 #9 end_query at /usr/src/debug/c-ares-1.19.1-1.fc38.x86_64/src/lib/ares_process.c:1525 #10 process_answer at /usr/src/debug/c-ares-1.19.1-1.fc38.x86_64/src/lib/ares_process.c:598 #11 read_udp_packets at /usr/src/debug/c-ares-1.19.1-1.fc38.x86_64/src/lib/ares_process.c:548 #12 processfds at /usr/src/debug/c-ares-1.19.1-1.fc38.x86_64/src/lib/ares_process.c:126 #13 tevent_common_invoke_fd_handler at ../../tevent_fd.c:142 #14 epoll_event_loop at ../../tevent_epoll.c:737 #15 epoll_event_loop_once at ../../tevent_epoll.c:938 #16 std_event_loop_once at ../../tevent_standard.c:110 #17 _tevent_loop_once at ../../tevent.c:823 #18 tevent_common_loop_wait at ../../tevent.c:949 #19 std_event_loop_wait at ../../tevent_standard.c:141 #20 server_loop at src/util/server.c:787 Potential duplicate: bug 1773488 -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2214534 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 15

[Bug 2168743] New: Known valid Windows AD Domain credential refused for domain "joined" F37 workstation
by bugzilla＠redhat.com 12 Jan '24

12 Jan '24

https://bugzilla.redhat.com/show_bug.cgi?id=2168743 Bug ID: 2168743 Summary: Known valid Windows AD Domain credential refused for domain "joined" F37 workstation Product: Fedora Version: 37 Hardware: x86_64 OS: Linux Status: NEW Component: sssd Severity: high Assignee: sssd-maintainers(a)lists.fedoraproject.org Reporter: cjm(a)tryx.org QA Contact: extras-qa(a)fedoraproject.org CC: abokovoy(a)redhat.com, atikhono(a)redhat.com, jhrozek(a)redhat.com, lslebodn(a)redhat.com, luk.claes(a)gmail.com, mzidek(a)redhat.com, pbrezina(a)redhat.com, sbose(a)redhat.com, ssorce(a)redhat.com, sssd-maintainers(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Created attachment 1943194 --> https://bugzilla.redhat.com/attachment.cgi?id=1943194&action=edit /var/log/sssd/sssd_TCLC.org.log Description of problem: login:cjm@tclc.org Password: Permission denied Version-Release number of selected component (if applicable): sssd version: 2.8.2 How reproducible: 100% Steps to Reproduce: 1. Join the Fedora workstation to the Windows AD Domain 2. Log in as a user with known valid credentials. Credentials are known to be good because they have worked for ten years on a Windows workstation domain member. Actual results: login:cjm@tclc.org Password: Permission denied Expected results: login:cjm@tclc.org Password: $ Additional info: # adcli info adcli: specify a domain to discover [root@worx ~]# adcli info tclc.org [domain] domain-name = TCLC.org domain-short = TCLC domain-forest = TCLC.org domain-controller = Aequitas.TCLC.org domain-controller-site = Default-First-Site-Name domain-controller-flags = pdc gc ldap ds kdc timeserv closest writable good-timeserv full-secret ads-web domain-controller-usable = yes domain-controllers = Aequitas.TCLC.org [computer] computer-site = Default-First-Site-Name # adcli show-computer -U sa Password for sa(a)TCLC.ORG: sAMAccountName: WORX$ userPrincipalName: - not set - msDS-KeyVersionNumber: 3 msDS-supportedEncryptionTypes: 24 dNSHostName: worx.tclc.org servicePrincipalName: RestrictedKrbHost/worx.tclc.org RestrictedKrbHost/WORX host/worx.tclc.org host/WORX operatingSystem: redhat-linux-gnu operatingSystemVersion: - not set - operatingSystemServicePack: - not set - pwdLastSet: 133204401440679346 userAccountControl: 69632 description: - not set - -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2168743

1 22

[Bug 1857104] New: Using FreeIPA breaks IPv4/IPv6 flags for SSH
by bugzilla＠redhat.com 14 Sep '23

14 Sep '23

https://bugzilla.redhat.com/show_bug.cgi?id=1857104 Bug ID: 1857104 Summary: Using FreeIPA breaks IPv4/IPv6 flags for SSH Product: Fedora Version: 32 Status: NEW Component: sssd Assignee: sssd-maintainers(a)lists.fedoraproject.org Reporter: ossman(a)cendio.se QA Contact: extras-qa(a)fedoraproject.org CC: abokovoy(a)redhat.com, atikhono(a)redhat.com, jhrozek(a)redhat.com, lslebodn(a)redhat.com, mzidek(a)redhat.com, pbrezina(a)redhat.com, rharwood(a)redhat.com, sbose(a)redhat.com, ssorce(a)redhat.com, sssd-maintainers(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Description of problem: If a client is configured using ipa-client-install then the -4 and -6 flags stop working for ssh. Version-Release number of selected component (if applicable): Doesn't matter. Seen on RHEL 6 through 8, and on current Fedora. How reproducible: 100% Steps to Reproduce: 1. ipa-client-install 2. ssh -4 host.example.com Actual results: Connected via IPv6 Expected results: Connected via IPv4 Additional info: The bug is that sss_ssh_knownhostsproxy is configured on the client and that command doesn't respect the flags given to ssh. The issue affects all hosts, not just those part of the same FreeIPA domain. A practical effect of this is that connections get rejected or misbehave because of IP based rules in place for this connection. -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug.

1 19

[Bug 2217912] New: Missing libsss_simpleifp makes ipsilon-infosssd uninstallable
by bugzilla＠redhat.com 28 Jun '23

28 Jun '23

https://bugzilla.redhat.com/show_bug.cgi?id=2217912 Bug ID: 2217912 Summary: Missing libsss_simpleifp makes ipsilon-infosssd uninstallable Product: Fedora Version: rawhide OS: Linux Status: NEW Component: sssd Severity: medium Assignee: sssd-maintainers(a)lists.fedoraproject.org Reporter: jpazdziora(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: abokovoy(a)redhat.com, atikhono(a)redhat.com, jhrozek(a)redhat.com, lslebodn(a)redhat.com, luk.claes(a)gmail.com, mzidek(a)redhat.com, pbrezina(a)redhat.com, sbose(a)redhat.com, ssorce(a)redhat.com, sssd-maintainers(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora On Fedora rawhide, installation of ipsilon-infosssd now fails due to missing libsss_simpleifp dependency. Reproducible: Always Steps to Reproduce: 1. dnf install ipsilon-infosssd Actual Results: Last metadata expiration check: 0:04:57 ago on Tue Jun 27 12:50:04 2023. Error: Problem: conflicting requests - nothing provides libsss_simpleifp needed by ipsilon-infosssd-3.0.4-6.fc39.noarch from rawhide (try to add '--skip-broken' to skip uninstallable packages) Expected Results: No error, ipsilon-infosssd installed. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2217912 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-sp…

1 3

[Bug 2212343] New: kinit: Connection refused while getting default ccache (broken sssd)
by bugzilla＠redhat.com 06 Jun '23

06 Jun '23

https://bugzilla.redhat.com/show_bug.cgi?id=2212343 Bug ID: 2212343 Summary: kinit: Connection refused while getting default ccache (broken sssd) Product: Fedora Version: 38 Hardware: x86_64 OS: Linux Status: NEW Component: sssd Severity: medium Assignee: sssd-maintainers(a)lists.fedoraproject.org Reporter: thofman(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: abokovoy(a)redhat.com, atikhono(a)redhat.com, jhrozek(a)redhat.com, lslebodn(a)redhat.com, luk.claes(a)gmail.com, mzidek(a)redhat.com, pbrezina(a)redhat.com, sbose(a)redhat.com, ssorce(a)redhat.com, sssd-maintainers(a)lists.fedoraproject.org Target Milestone: --- Classification: Fedora Hello, on freshly installed system, after installing krb5-workstation and configuring /etc/krb5.conf, I'm unable to use `kinit` command: ``` $ kinit thofman(a)REDHAT.COM kinit: Connection refused while getting default ccache ``` Complete output of `KRB5_TRACE=/dev/stderr strace -f klist` is attached bellow. Notably, strace shows lines like: ``` connect(4, {sa_family=AF_UNIX, sun_path="/var/run/.heim_org.h5l.kcm-socket"}, 110) = -1 ECONNREFUSED (Connection refused) ``` Not sure if this is related, but sssd is installed (was in base installation?) but does not start: ``` $ systemctl status sssd ○ sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; preset: ena> Drop-In: /usr/lib/systemd/system/service.d └─10-timeout-abort.conf Active: inactive (dead) Condition: start condition failed at Mon 2023-06-05 10:03:58 CEST; 43min ago ├─ ConditionPathExists=|/etc/sssd/sssd.conf was not met └─ ConditionDirectoryNotEmpty=|/etc/sssd/conf.d was not met Jun 05 10:03:58 fedora systemd[1]: sssd.service - System Security Services Daem> ``` When I modify /etc/krb5.conf.d/kcm_default_ccache and comment out the line "default_ccache_name = KCM:", kinit starts to work. Reproducible: Always -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2212343

1 9

2025

2024

2023

2022

2021

2020

Sssd-maintainers June 2023