My client has a working setup of sssd/kerberos/ldap utilizing yubikeys and pkinit as the
login mechanism, based on sssd 1.15.2 and Ubuntu 16.04.
My client wants to advance from Ubuntu 16.04 LTS to Ubuntu 18.04 LTS. A test installation
of the latter with the corresponding sssd-version 1.16.1 does not allow yubikey-based
login, although both kinit and p11_child do see the yubikey and the certificate on it.
Kinit with yubikey does work.
Analysis of log gives that krb5_child behavior has changed. The function answer_pkinit is
called with kr->pd->cmd set to SSS_PAM_AUTHENTICATE and kr->pd->authtok set to
SSS_AUTHTOK_TYPE_SC_PIN in 1.15.2, but with kr->pd->cmd set to SSS_PAM_PREAUTH and
kr->pd->authtok set to 0 in 1.16.1, causing the function to skip all
pkinit/smarcard-related prompting and processing.
Both installations are using the same sssd.conf,krb5.conf etc.
How shall we fix this?
Show replies by thread