On Thu, Dec 05, 2019 at 04:58:28PM +0000, Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS
INC] wrote:
Hi,
what certificate is in /etc/sssd/pki/mycert.pem. It is expected that
this file contains the CA certificate which are needed to verify the
user certificate from the Smartcard in PEM format.
bye,
Sumit
Thanks,
Brad
________________________________________
From: Sumit Bose <sbose(a)redhat.com>
Sent: Thursday, December 5, 2019 11:36 AM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: [non-nasa source] Re: [EXTERNAL] Re: Fedora 30 and 31 instant
fail at gdm login greeter PIN prompt
On Thu, Dec 05, 2019 at 01:47:44PM +0000, Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS
INC] wrote:
> Hi Sumit,
>
> Sorry to top post but this thread is getting long...
>
> We ran into permissions earlier with the debug and sssd.conf, so are the rest what
sssd want?
> sudo ls -la /etc/sssd
> total 28
> drwx------. 4 root root 4096 Dec 5 08:19 .
> drwxr-xr-x. 149 root root 12288 Dec 5 08:03 ..
> drwx--x--x. 2 root root 4096 Oct 22 14:39 conf.d
> drwx--x--x. 2 root root 4096 Oct 22 14:39 pki
> -rw-------. 1 root root 426 Dec 5 08:19 sssd.conf
>
> sudo ls -la /etc/sssd/pki/mycert.pem
> -rw-r--r--. 1 root root 130289 Oct 31 11:10 /etc/sssd/pki/mycert.pem
Hi,
SSSD does not read unconditionally everything in /etc/sssd/pki/. You can
either rename the file to /etc/sssd/pki/sssd_auth_ca_db.pem or add
pam_cert_db_path = /etc/sssd/pki/mycert.pem
to the [pam] section of /etc/sssd/sssd.conf.
HTH
bye,
Sumit
>
> Also I have noticed a p11_child.log in /var/log/sssd from when we tested which has
this:
> (Tue Nov 5 08:46:29 2019) [[sssd[p11_child[3840]]]] [main] (0x0400): p11_child
started.
> (Tue Nov 5 08:46:29 2019) [[sssd[p11_child[3840]]]] [main] (0x2000): Running in
[pre-auth] mode.
> (Tue Nov 5 08:46:29 2019) [[sssd[p11_child[3840]]]] [main] (0x2000): Running with
effective IDs: [0][0].
> (Tue Nov 5 08:46:29 2019) [[sssd[p11_child[3840]]]] [main] (0x2000): Running with
real IDs [0][0].
> (Tue Nov 5 08:46:29 2019) [[sssd[p11_child[3840]]]] [init_verification] (0x0040):
X509_LOOKUP_load_file failed [185090184][error:0B084088:x509 certificate
routines:X509_load_cert_crl_file:no certificate or crl found].
> (Tue Nov 5 08:46:29 2019) [[sssd[p11_child[3840]]]] [do_work] (0x0040):
init_verification failed.
> (Tue Nov 5 08:46:29 2019) [[sssd[p11_child[3840]]]] [main] (0x0040): do_work
failed.
> (Tue Nov 5 08:46:29 2019) [[sssd[p11_child[3840]]]] [main] (0x0020): p11_child
failed!
>
> Thanks,
> Brad
>
> ________________________________________
> From: Sumit Bose <sbose(a)redhat.com>
> Sent: Thursday, December 5, 2019 1:30 AM
> To: sssd-users(a)lists.fedorahosted.org
> Subject: [SSSD-users] Re: [non-nasa source] Re: [EXTERNAL] Re: Fedora 30 and 31
instant fail at gdm login greeter PIN prompt
>
> On Wed, Dec 04, 2019 at 01:55:48PM +0000, Zynda, Bradley V. (GSFC-423.0)[ADNET
SYSTEMS INC] wrote:
> > Hi Sumit,
> >
> > I am starting to see more issues/bugs popping up with similar behaviour across
multiple flavors/distros and they all seem to be pointing to issues with gdm-greeter auth
as the underlying pcscd and opensc pieces are working.
>
> Hi,
>
> please try again to collect SSSD logs. In your other mail you only added
> the content of sssd.log. The other log files are important as well. Best
> would be to tar the /var/log/sssd directory to just include all logs.
> Before please add 'debug_level = 9' at least to the [pam] and
> [domain/...] sections of sssd.conf and restart SSSD.
>
> bye,
> Sumit
>
> >
> > Has anyone from RHEL reached out to gnome on this?
> >
> > Thanks,
> > Brad
> >
> > ________________________________________
> > From: Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC]
<bradley.v.zynda(a)nasa.gov>
> > Sent: Friday, November 1, 2019 10:32 AM
> > To: sssd-users(a)lists.fedorahosted.org
> > Subject: Re: [SSSD-users] Re: [non-nasa source] Re: [EXTERNAL] Re: Fedora 30
and 31 instant fail at gdm login greeter PIN prompt
> >
> >
> >
> > ________________________________________
> > From: Sumit Bose <sbose(a)redhat.com>
> > Sent: Friday, November 1, 2019 9:59 AM
> > To: sssd-users(a)lists.fedorahosted.org
> > Subject: [SSSD-users] Re: [non-nasa source] Re: [EXTERNAL] Re: Fedora 30 and
31 instant fail at gdm login greeter PIN prompt
> >
> > On Fri, Nov 01, 2019 at 01:45:07PM +0000, Zynda, Bradley V. (GSFC-423.0)[ADNET
SYSTEMS INC] wrote:
> > >
> > >
> > > ________________________________________
> > > From: Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC]
<bradley.v.zynda(a)nasa.gov>
> > > Sent: Friday, November 1, 2019 9:17 AM
> > > To: sssd-users(a)lists.fedorahosted.org
> > > Subject: [non-nasa source] [SSSD-users] Re: [EXTERNAL] Re: Fedora 30 and
31 instant fail at gdm login greeter PIN prompt
> > >
> > >
> > >
> > > ________________________________________
> > > From: Sumit Bose <sbose(a)redhat.com>
> > > Sent: Friday, November 1, 2019 8:12 AM
> > > To: sssd-users(a)lists.fedorahosted.org
> > > Subject: [EXTERNAL] [SSSD-users] Re: Fedora 30 and 31 instant fail at gdm
login greeter PIN prompt
> > >
> > > On Thu, Oct 31, 2019 at 04:38:23PM +0000, Zynda, Bradley V.
(GSFC-423.0)[ADNET SYSTEMS INC] wrote:
> > > > Hello,
> > > >
> > > > pam.d/system-auth
> > > >
> > > > auth [success=done authinfo_unavail=ignore ignore=ignore
default=die] pam_sss.so try_cert_auth
> > > >
> > > > pam.d/smartcard-auth
> > > >
> > > > auth [default=1 ignore=ignore success=ok]
pam_succeed_if.so uid >= 1000 quiet
> > > > auth sufficient pam_sss.so
ignore_authinfo_unavail require_cert_auth
> > > > auth required pam_deny.so
> > > >
> > > > account required pam_unix.so
> > > > account sufficient
pam_localuser.so
> > > > account sufficient
pam_succeed_if.so uid < 1000 quiet
> > > > account [default=bad success=ok user_unknown=ignore] pam_sss.so
> > > > account required
pam_permit.so
> > > >
> > > > session optional
pam_keyinit.so revoke
> > > > session required
pam_limits.so
> > > > -session optional
pam_systemd.so
> > > > session [success=1 default=ignore]
pam_succeed_if.so service in crond quiet use_uid
> > > > session required pam_unix.so
> > > > session optional pam_sss.so
> > > >
> > > >
> > > > etc/sssd/sssd.conf
> > > > [sssd]
> > > > services = nss, pam
> > > > domains = files
> > > >
> > > > [nss]
> > > >
> > > > [pam]
> > > > pam_cert_auth = True
> > > > pam_cert_db_path = /etc/sssd/pki/<cert>.pem
> > > > debug_level = 4
> > > >
> > > > [domain/files]
> > > > id_provider = files
> > > >
> > > > [certmap/files/<user>]
> > > > matchrule =
<EKU>msScLogin<SUBJECT>^.*,UID=<user>,.*$
> > > >
> > > >
> > > > gdm.d/greeter-login
> > > > enable-smartcard-authentication=true
> > > > enable-fingerprint-authentication=false
> > > > enable-password-authentication=false
> > > >
> > > >
> > > > Reboot and get Card PIN user prompt gdm-login-greeter -> add
username and click next
> > > >
> > > > Get Prompted for PIN but after a second it just fails and goes back
to asking for username.
> > > >
> > > > Has anyone run into this behaviour, suggestions, fix?
> > >
> > > Hi,
> > >
> > > does it work with other services than gdm, like e.g. the console login
> > > or su?
> > >
> > > Hi Sumit, yes it works with other services and logging into PIV websites
> > >
> > > Can you send the SSSD debug logs? You currently have 'debug_level =
4'
> > > in the [pam] section. This might help for a start but it might help to
> > > avoid some round-trips if you can set 'debug_level = 9' to the
[pam] and
> > > [domain/files] section, restart SSSD and run the login test again before
> > > sending the logs.
> > >
> > > On debug=4 the logs just repeat this:
> > >
> > > (Fri Nov 1 08:54:50:113927 2019) [sssd] [confdb_ldif_from_ini_file]
(0x0020): Permission check on config file failed.
> > > (Fri Nov 1 08:54:50:113983 2019) [sssd] [confdb_init_db] (0x0020): Cannot
convert INI to LDIF [1]: [Operation not permitted]
> > > (Fri Nov 1 08:54:50:113994 2019) [sssd] [confdb_setup] (0x0010): ConfDB
initialization has failed [1]: Operation not permitted
> > > (Fri Nov 1 08:54:50:114015 2019) [sssd] [load_configuration] (0x0010):
Unable to setup ConfDB [1]: Operation not permitted
> > > (Fri Nov 1 08:54:50:114024 2019) [sssd] [main] (0x0020): Cannot read
config file /etc/sssd/sssd.conf. Please check that the file is accessible only by the
owner and owned by root.root.
> > >
> > > -rw-r--r--. 1 root root 343 Oct 31 11:16 /etc/sssd/sssd.conf
> > >
> > > made it 640 instead <- guessing that is correct
> > >
> > > Will set debug=9 and retest
> > >
> > > Hi Sumit retested with debug 9 and still the same errors in var/log:
> > >
> > > (Fri Nov 1 09:28:20:676656 2019) [sssd] [confdb_ldif_from_ini_file]
(0x0020): Permission check on config file failed.
> > > (Fri Nov 1 09:28:20:676713 2019) [sssd] [confdb_init_db] (0x0020): Cannot
convert INI to LDIF [1]: [Operation not permitted]
> > > (Fri Nov 1 09:28:20:676724 2019) [sssd] [confdb_setup] (0x0010): ConfDB
initialization has failed [1]: Operation not permitted
> > > (Fri Nov 1 09:28:20:676746 2019) [sssd] [load_configuration] (0x0010):
Unable to setup ConfDB [1]: Operation not permitted
> > > (Fri Nov 1 09:28:20:676757 2019) [sssd] [main] (0x0020): Cannot read
config file /etc/sssd/sssd.conf. Please check that the file is accessible only by the
owner and owned by root.
> > >
> > > and the other logs have a similar entry:
> > >
> > > (Thu Oct 31 11:29:26 2019) [sssd[be[implicit_files]]] [orderly_shutdown]
(0x0010): SIGTERM: killing children
> > >
> > > Installed Packages
> > > sssd.x86_64 2.2.2-1.fc31
@anaconda
> > >
> > > -rw-r-----. 1 root root 343 Nov 1 09:20 /etc/sssd/sssd.conf
> >
> > Hi,
> >
> > just make it 0600.
> >
> > HTH
> >
> > Hi Sumit, made it 600 but the same behaviour is occurring.. though the logging
is now working and I have attached the output.
> >
> > Thanks,
> > Brad
> >
> > bye,
> > Sumit
> >
> > >
> > > I also verified I do not get prompted for PIN at TTY(fn+f2) for sudo or
su, just password.
> > >
> > > Thanks,
> > > Brad
> > >
> > >
> > >
> > > bye.
> > > Sumit
> > >
> > > >
> > > > Seems to be a reoccurring issue I have seen in +F28, +CentOS7 and
+RHEL7 basically anything with obsolete coolkey pkcs11 authconfig.
> > > >
> > > > Thanks,
> > > > Brad
> > > > _______________________________________________
> > > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > > To unsubscribe send an email to
sssd-users-leave(a)lists.fedorahosted.org
> > > > Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.o...
> > > > List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
> > > > List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.o...
> > > List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
> > > List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.o...
> > > List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
> > > List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.o...
> > > List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
> > > List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.o...
> > List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
> > List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.o...
> > List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
> > List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.o...
> List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
> List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.o...
> List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
> List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.o...
List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...