On Fri, Dec 07, 2018 at 01:09:34PM -0000, tallinn1960@yahoo.de wrote:
My client has a working setup of sssd/kerberos/ldap utilizing yubikeys and pkinit as the login mechanism, based on sssd 1.15.2 and Ubuntu 16.04.
My client wants to advance from Ubuntu 16.04 LTS to Ubuntu 18.04 LTS. A test installation of the latter with the corresponding sssd-version 1.16.1 does not allow yubikey-based login, although both kinit and p11_child do see the yubikey and the certificate on it. Kinit with yubikey does work.
Analysis of log gives that krb5_child behavior has changed. The function answer_pkinit is called with kr->pd->cmd set to SSS_PAM_AUTHENTICATE and kr->pd->authtok set to SSS_AUTHTOK_TYPE_SC_PIN in 1.15.2, but with kr->pd->cmd set to SSS_PAM_PREAUTH and kr->pd->authtok set to 0 in 1.16.1, causing the function to skip all pkinit/smarcard-related prompting and processing.
Both installations are using the same sssd.conf,krb5.conf etc.
Can you share the full logs with debug_level=9?
The behavior you described above is expected and you should see a similar SSS_PAM_PREAUTH step in 1.15.2 as well.
The SSS_PAM_PREAUTH is done first, before the user is asked for a PIN or a password to check which authentication methods are available for the user on the KDC. Based on the result the user is prompted and then SSS_PAM_AUTHENTICATE is run.
Are you prompted for a PIN or a password with 1.16.1? Is the Kerberos pkinit plugin installed on the system running 1.16.1? Can you check the system log if pcscd says that access is denied for the user trying to log in?
bye, Sumit
How shall we fix this? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...