On Fri, Dec 07, 2018 at 01:09:34PM -0000, tallinn1960(a)yahoo.de wrote:
My client has a working setup of sssd/kerberos/ldap utilizing
yubikeys and pkinit as the login mechanism, based on sssd 1.15.2 and Ubuntu 16.04.
My client wants to advance from Ubuntu 16.04 LTS to Ubuntu 18.04 LTS. A test installation
of the latter with the corresponding sssd-version 1.16.1 does not allow yubikey-based
login, although both kinit and p11_child do see the yubikey and the certificate on it.
Kinit with yubikey does work.
Analysis of log gives that krb5_child behavior has changed. The function answer_pkinit is
called with kr->pd->cmd set to SSS_PAM_AUTHENTICATE and kr->pd->authtok set to
SSS_AUTHTOK_TYPE_SC_PIN in 1.15.2, but with kr->pd->cmd set to SSS_PAM_PREAUTH and
kr->pd->authtok set to 0 in 1.16.1, causing the function to skip all
pkinit/smarcard-related prompting and processing.
Both installations are using the same sssd.conf,krb5.conf etc.
Can you share the full logs with debug_level=9?
The behavior you described above is expected and you should see a
similar SSS_PAM_PREAUTH step in 1.15.2 as well.
The SSS_PAM_PREAUTH is done first, before the user is asked for a PIN
or a password to check which authentication methods are available for
the user on the KDC. Based on the result the user is prompted and then
SSS_PAM_AUTHENTICATE is run.
Are you prompted for a PIN or a password with 1.16.1? Is the Kerberos
pkinit plugin installed on the system running 1.16.1? Can you check the
system log if pcscd says that access is denied for the user trying to
> How shall we fix this?
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: