On Fri, Nov 01, 2019 at 01:45:07PM +0000, Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC] wrote:
From: Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC] bradley.v.zynda@nasa.gov Sent: Friday, November 1, 2019 9:17 AM To: sssd-users@lists.fedorahosted.org Subject: [non-nasa source] [SSSD-users] Re: [EXTERNAL] Re: Fedora 30 and 31 instant fail at gdm login greeter PIN prompt
From: Sumit Bose sbose@redhat.com Sent: Friday, November 1, 2019 8:12 AM To: sssd-users@lists.fedorahosted.org Subject: [EXTERNAL] [SSSD-users] Re: Fedora 30 and 31 instant fail at gdm login greeter PIN prompt
On Thu, Oct 31, 2019 at 04:38:23PM +0000, Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC] wrote:
Hello,
pam.d/system-auth
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth
pam.d/smartcard-auth
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth sufficient pam_sss.so ignore_authinfo_unavail require_cert_auth auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
etc/sssd/sssd.conf [sssd] services = nss, pam domains = files
[nss]
[pam] pam_cert_auth = True pam_cert_db_path = /etc/sssd/pki/<cert>.pem debug_level = 4
[domain/files] id_provider = files
[certmap/files/<user>] matchrule = <EKU>msScLogin<SUBJECT>^.*,UID=<user>,.*$
gdm.d/greeter-login enable-smartcard-authentication=true enable-fingerprint-authentication=false enable-password-authentication=false
Reboot and get Card PIN user prompt gdm-login-greeter -> add username and click next
Get Prompted for PIN but after a second it just fails and goes back to asking for username.
Has anyone run into this behaviour, suggestions, fix?
Hi,
does it work with other services than gdm, like e.g. the console login or su?
Hi Sumit, yes it works with other services and logging into PIV websites
Can you send the SSSD debug logs? You currently have 'debug_level = 4' in the [pam] section. This might help for a start but it might help to avoid some round-trips if you can set 'debug_level = 9' to the [pam] and [domain/files] section, restart SSSD and run the login test again before sending the logs.
On debug=4 the logs just repeat this:
(Fri Nov 1 08:54:50:113927 2019) [sssd] [confdb_ldif_from_ini_file] (0x0020): Permission check on config file failed. (Fri Nov 1 08:54:50:113983 2019) [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1]: [Operation not permitted] (Fri Nov 1 08:54:50:113994 2019) [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1]: Operation not permitted (Fri Nov 1 08:54:50:114015 2019) [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1]: Operation not permitted (Fri Nov 1 08:54:50:114024 2019) [sssd] [main] (0x0020): Cannot read config file /etc/sssd/sssd.conf. Please check that the file is accessible only by the owner and owned by root.root.
-rw-r--r--. 1 root root 343 Oct 31 11:16 /etc/sssd/sssd.conf
made it 640 instead <- guessing that is correct
Will set debug=9 and retest
Hi Sumit retested with debug 9 and still the same errors in var/log:
(Fri Nov 1 09:28:20:676656 2019) [sssd] [confdb_ldif_from_ini_file] (0x0020): Permission check on config file failed. (Fri Nov 1 09:28:20:676713 2019) [sssd] [confdb_init_db] (0x0020): Cannot convert INI to LDIF [1]: [Operation not permitted] (Fri Nov 1 09:28:20:676724 2019) [sssd] [confdb_setup] (0x0010): ConfDB initialization has failed [1]: Operation not permitted (Fri Nov 1 09:28:20:676746 2019) [sssd] [load_configuration] (0x0010): Unable to setup ConfDB [1]: Operation not permitted (Fri Nov 1 09:28:20:676757 2019) [sssd] [main] (0x0020): Cannot read config file /etc/sssd/sssd.conf. Please check that the file is accessible only by the owner and owned by root.
and the other logs have a similar entry:
(Thu Oct 31 11:29:26 2019) [sssd[be[implicit_files]]] [orderly_shutdown] (0x0010): SIGTERM: killing children
Installed Packages sssd.x86_64 2.2.2-1.fc31 @anaconda
-rw-r-----. 1 root root 343 Nov 1 09:20 /etc/sssd/sssd.conf
Hi,
just make it 0600.
HTH
bye, Sumit
I also verified I do not get prompted for PIN at TTY(fn+f2) for sudo or su, just password.
Thanks, Brad
bye. Sumit
Seems to be a reoccurring issue I have seen in +F28, +CentOS7 and +RHEL7 basically anything with obsolete coolkey pkcs11 authconfig.
Thanks, Brad _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_... List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_... List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_... List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_... List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_... List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_... List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...