My client has a working setup of sssd/kerberos/ldap utilizing yubikeys and pkinit as the login mechanism, based on sssd 1.15.2 and Ubuntu 16.04.
My client wants to advance from Ubuntu 16.04 LTS to Ubuntu 18.04 LTS. A test installation of the latter with the corresponding sssd-version 1.16.1 does not allow yubikey-based login, although both kinit and p11_child do see the yubikey and the certificate on it. Kinit with yubikey does work.
Analysis of log gives that krb5_child behavior has changed. The function answer_pkinit is called with kr->pd->cmd set to SSS_PAM_AUTHENTICATE and kr->pd->authtok set to SSS_AUTHTOK_TYPE_SC_PIN in 1.15.2, but with kr->pd->cmd set to SSS_PAM_PREAUTH and kr->pd->authtok set to 0 in 1.16.1, causing the function to skip all pkinit/smarcard-related prompting and processing.
Both installations are using the same sssd.conf,krb5.conf etc.
How shall we fix this?
On Fri, Dec 07, 2018 at 01:09:34PM -0000, tallinn1960@yahoo.de wrote:
My client has a working setup of sssd/kerberos/ldap utilizing yubikeys and pkinit as the login mechanism, based on sssd 1.15.2 and Ubuntu 16.04.
My client wants to advance from Ubuntu 16.04 LTS to Ubuntu 18.04 LTS. A test installation of the latter with the corresponding sssd-version 1.16.1 does not allow yubikey-based login, although both kinit and p11_child do see the yubikey and the certificate on it. Kinit with yubikey does work.
Analysis of log gives that krb5_child behavior has changed. The function answer_pkinit is called with kr->pd->cmd set to SSS_PAM_AUTHENTICATE and kr->pd->authtok set to SSS_AUTHTOK_TYPE_SC_PIN in 1.15.2, but with kr->pd->cmd set to SSS_PAM_PREAUTH and kr->pd->authtok set to 0 in 1.16.1, causing the function to skip all pkinit/smarcard-related prompting and processing.
Both installations are using the same sssd.conf,krb5.conf etc.
Can you share the full logs with debug_level=9?
The behavior you described above is expected and you should see a similar SSS_PAM_PREAUTH step in 1.15.2 as well.
The SSS_PAM_PREAUTH is done first, before the user is asked for a PIN or a password to check which authentication methods are available for the user on the KDC. Based on the result the user is prompted and then SSS_PAM_AUTHENTICATE is run.
Are you prompted for a PIN or a password with 1.16.1? Is the Kerberos pkinit plugin installed on the system running 1.16.1? Can you check the system log if pcscd says that access is denied for the user trying to log in?
bye, Sumit
How shall we fix this? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
There is no entry in the syslogs of pcscd whatsoever. It is installed though. p11_child --pre ... does read the certificate from the yubikey.
I missed that krb5_child is called twice upon a single login attempt. Comparing the log of krb5_child between 1.15.2 and 1.16.1 shows that the tokentype is different: SSS_AUTHTOK_TYPE_SC_PIN in 1.15.2, SSS_AUTHTOK_TYPE_PASSWORD in 1.16.1.
I am prompted for a password in 1.16.1.
The krb5-pkinit package is installed. kinit utilzes the yubikey.
The following is krb5_child.log for a failed login attempt. I have inserted trace-output about cmd and tokentype in answer_pkinit.
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [main] (0x0400): krb5_child started. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [unpack_buffer] (0x1000): total buffer size: [146] (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [unpack_buffer] (0x0100): cmd [249] uid [3034] gid [3001] validate [false] enterprise principal [false] offline [false] UPN [user@DOMAIN] (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_3034_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_3034_XXXXXX] keytab: [/etc/krb5.keytab] (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [check_use_fast] (0x0100): Not using FAST. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [become_user] (0x0200): Trying to become user [3034][3001]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [main] (0x2000): Running as [3034][3001]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [become_user] (0x0200): Trying to become user [3034][3001]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [become_user] (0x0200): Already user [3034]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [k5c_setup] (0x2000): Running as [3034][3001]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [false] (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [main] (0x0400): Will perform pre-auth (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [DOMAIN] (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570173: Getting initial credentials for user@DOMAIN
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570175: Sending unauthenticated request
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570176: Sending request (174 bytes) to DOMAIN
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570177: Sending initial UDP request to dgram 10.36.125.234:88
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570178: Received answer (364 bytes) from dgram 10.36.125.234:88
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570179: Response was from master KDC
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570180: Received error from KDC: -1765328359/Additional pre-authentication required
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570183: Preauthenticating using KDC method data
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570184: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570185: Selected etype info: etype aes256-cts, salt "DOMAINuser", params ""
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570186: Received cookie: MIT
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_responder] (0x4000): Got question [pkinit]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so:slotid=0:token=PIV Card Holder pin (PIV_II)] flags [0]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [answer_pkinit] (0x4000): Setting pkinit_prompting. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [answer_pkinit] (0x4000): cmd = 249 (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [answer_pkinit] (0x4000): authtok = 0 (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570187: Preauth module pkinit (147) (info) returned: 0/Success
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] (0x4000): Prompt [0][PIV Card Holder pin (PIV_II) PIN]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570188: PKINIT client has no configured identity; giving up
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570189: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570190: PKINIT client ignoring draft 9 offer from RFC 4556 KDC
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570191: Preauth module pkinit (15) (real) returned: -1765328360/Preauthentication failed
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570192: PKINIT client ignoring draft 9 offer from RFC 4556 KDC
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570193: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for user@DOMAIN]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570194: Preauth module encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password
(Fri Dec 7 17:27:19 2018) [[sssd[krb5_child[19899]]]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [-1765328174] during pre-auth. (Fri Dec 7 17:27:19 2018) [[sssd[krb5_child[19899]]]] [k5c_send_data] (0x0200): Received error code 0 (Fri Dec 7 17:27:19 2018) [[sssd[krb5_child[19899]]]] [pack_response_packet] (0x2000): response packet size: [12] (Fri Dec 7 17:27:19 2018) [[sssd[krb5_child[19899]]]] [k5c_send_data] (0x4000): Response sent. (Fri Dec 7 17:27:19 2018) [[sssd[krb5_child[19899]]]] [main] (0x0400): krb5_child completed successfully (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [main] (0x0400): krb5_child started. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [unpack_buffer] (0x1000): total buffer size: [154] (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [unpack_buffer] (0x0100): cmd [241] uid [3034] gid [3001] validate [false] enterprise principal [false] offline [false] UPN [user@DOMAIN] (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_3034_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_3034_XXXXXX] keytab: [/etc/krb5.keytab] (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [check_use_fast] (0x0100): Not using FAST. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [old_ccache_valid] (0x0400): Saved ccache FILE:/tmp/krb5cc_3034_XXXXXX doesn't exist, ignoring (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_3034_XXXXXX] and is not active and TGT is not valid. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [become_user] (0x0200): Trying to become user [3034][3001]. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [main] (0x2000): Running as [3034][3001]. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [become_user] (0x0200): Trying to become user [3034][3001]. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [become_user] (0x0200): Already user [3034]. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [k5c_setup] (0x2000): Running as [3034][3001]. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [false] (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [main] (0x0400): Will perform online auth (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [DOMAIN] (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663098: Getting initial credentials for user@DOMAIN
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663100: Sending unauthenticated request
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663101: Sending request (174 bytes) to DOMAIN
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663102: Sending initial UDP request to dgram 10.36.125.234:88
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663103: Received answer (364 bytes) from dgram 10.36.125.234:88
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663104: Response was from master KDC
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663105: Received error from KDC: -1765328359/Additional pre-authentication required
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663108: Preauthenticating using KDC method data
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663109: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663110: Selected etype info: etype aes256-cts, salt "DOMAINuser", params ""
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663111: Received cookie: MIT
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_responder] (0x4000): Got question [pkinit]. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so:slotid=0:token=PIV Card Holder pin (PIV_II)] flags [0]. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [answer_pkinit] (0x4000): Setting pkinit_prompting. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [answer_pkinit] (0x4000): cmd = 241 (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [answer_pkinit] (0x4000): authtok = 1 (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663112: Preauth module pkinit (147) (info) returned: 0/Success
(Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] (0x4000): Prompt [0][PIV Card Holder pin (PIV_II) PIN]. (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136917: PKINIT client has no configured identity; giving up
(Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136918: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed
(Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136919: PKINIT client ignoring draft 9 offer from RFC 4556 KDC
(Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136920: Preauth module pkinit (15) (real) returned: -1765328360/Preauthentication failed
(Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136921: PKINIT client ignoring draft 9 offer from RFC 4556 KDC
(Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136922: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
(Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for user@DOMAIN]. (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136923: Preauth module encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password
(Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [get_and_save_tgt] (0x0020): 1702: [-1765328174][Pre-authentication failed: Preauthentication failed] (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [map_krb5_error] (0x0020): 1815: [-1765328174][Pre-authentication failed: Preauthentication failed] (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [k5c_send_data] (0x0200): Received error code 1432158221 (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [pack_response_packet] (0x2000): response packet size: [4] (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [k5c_send_data] (0x4000): Response sent. (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [main] (0x0400): krb5_child completed successfully
On Fri, Dec 07, 2018 at 05:00:43PM -0000, tallinn1960@yahoo.de wrote:
There is no entry in the syslogs of pcscd whatsoever. It is installed though. p11_child --pre ... does read the certificate from the yubikey.
I missed that krb5_child is called twice upon a single login attempt. Comparing the log of krb5_child between 1.15.2 and 1.16.1 shows that the tokentype is different: SSS_AUTHTOK_TYPE_SC_PIN in 1.15.2, SSS_AUTHTOK_TYPE_PASSWORD in 1.16.1.
I am prompted for a password in 1.16.1.
Maybe another PAM module asks for a password before pam_sss can ask for the PIN. Can you send or compare the PAM configuration on both systems?
bye, Sumit
The krb5-pkinit package is installed. kinit utilzes the yubikey.
The following is krb5_child.log for a failed login attempt. I have inserted trace-output about cmd and tokentype in answer_pkinit.
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [main] (0x0400): krb5_child started. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [unpack_buffer] (0x1000): total buffer size: [146] (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [unpack_buffer] (0x0100): cmd [249] uid [3034] gid [3001] validate [false] enterprise principal [false] offline [false] UPN [user@DOMAIN] (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_3034_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_3034_XXXXXX] keytab: [/etc/krb5.keytab] (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [check_use_fast] (0x0100): Not using FAST. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [become_user] (0x0200): Trying to become user [3034][3001]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [main] (0x2000): Running as [3034][3001]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [become_user] (0x0200): Trying to become user [3034][3001]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [become_user] (0x0200): Already user [3034]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [k5c_setup] (0x2000): Running as [3034][3001]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [false] (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [main] (0x0400): Will perform pre-auth (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [DOMAIN] (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570173: Getting initial credentials for user@DOMAIN
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570175: Sending unauthenticated request
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570176: Sending request (174 bytes) to DOMAIN
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570177: Sending initial UDP request to dgram 10.36.125.234:88
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570178: Received answer (364 bytes) from dgram 10.36.125.234:88
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570179: Response was from master KDC
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570180: Received error from KDC: -1765328359/Additional pre-authentication required
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570183: Preauthenticating using KDC method data
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570184: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570185: Selected etype info: etype aes256-cts, salt "DOMAINuser", params ""
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570186: Received cookie: MIT
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_responder] (0x4000): Got question [pkinit]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so:slotid=0:token=PIV Card Holder pin (PIV_II)] flags [0]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [answer_pkinit] (0x4000): Setting pkinit_prompting. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [answer_pkinit] (0x4000): cmd = 249 (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [answer_pkinit] (0x4000): authtok = 0 (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570187: Preauth module pkinit (147) (info) returned: 0/Success
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] (0x4000): Prompt [0][PIV Card Holder pin (PIV_II) PIN]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570188: PKINIT client has no configured identity; giving up
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570189: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570190: PKINIT client ignoring draft 9 offer from RFC 4556 KDC
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570191: Preauth module pkinit (15) (real) returned: -1765328360/Preauthentication failed
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570192: PKINIT client ignoring draft 9 offer from RFC 4556 KDC
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570193: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
(Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for user@DOMAIN]. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570194: Preauth module encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password
(Fri Dec 7 17:27:19 2018) [[sssd[krb5_child[19899]]]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [-1765328174] during pre-auth. (Fri Dec 7 17:27:19 2018) [[sssd[krb5_child[19899]]]] [k5c_send_data] (0x0200): Received error code 0 (Fri Dec 7 17:27:19 2018) [[sssd[krb5_child[19899]]]] [pack_response_packet] (0x2000): response packet size: [12] (Fri Dec 7 17:27:19 2018) [[sssd[krb5_child[19899]]]] [k5c_send_data] (0x4000): Response sent. (Fri Dec 7 17:27:19 2018) [[sssd[krb5_child[19899]]]] [main] (0x0400): krb5_child completed successfully (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [main] (0x0400): krb5_child started. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [unpack_buffer] (0x1000): total buffer size: [154] (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [unpack_buffer] (0x0100): cmd [241] uid [3034] gid [3001] validate [false] enterprise principal [false] offline [false] UPN [user@DOMAIN] (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [unpack_buffer] (0x0100): ccname: [FILE:/tmp/krb5cc_3034_XXXXXX] old_ccname: [FILE:/tmp/krb5cc_3034_XXXXXX] keytab: [/etc/krb5.keytab] (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [check_use_fast] (0x0100): Not using FAST. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [old_ccache_valid] (0x0400): Saved ccache FILE:/tmp/krb5cc_3034_XXXXXX doesn't exist, ignoring (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_3034_XXXXXX] and is not active and TGT is not valid. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [k5c_precreate_ccache] (0x4000): Recreating ccache (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [become_user] (0x0200): Trying to become user [3034][3001]. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [main] (0x2000): Running as [3034][3001]. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [become_user] (0x0200): Trying to become user [3034][3001]. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [become_user] (0x0200): Already user [3034]. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [k5c_setup] (0x2000): Running as [3034][3001]. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [false] (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [main] (0x0400): Will perform online auth (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [tgt_req_child] (0x1000): Attempting to get a TGT (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [DOMAIN] (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663098: Getting initial credentials for user@DOMAIN
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663100: Sending unauthenticated request
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663101: Sending request (174 bytes) to DOMAIN
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663102: Sending initial UDP request to dgram 10.36.125.234:88
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663103: Received answer (364 bytes) from dgram 10.36.125.234:88
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663104: Response was from master KDC
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663105: Received error from KDC: -1765328359/Additional pre-authentication required
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663108: Preauthenticating using KDC method data
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663109: Processing preauth types: 16, 15, 14, 136, 19, 147, 2, 133
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663110: Selected etype info: etype aes256-cts, salt "DOMAINuser", params ""
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663111: Received cookie: MIT
(Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_responder] (0x4000): Got question [pkinit]. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so:slotid=0:token=PIV Card Holder pin (PIV_II)] flags [0]. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [answer_pkinit] (0x4000): Setting pkinit_prompting. (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [answer_pkinit] (0x4000): cmd = 241 (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [answer_pkinit] (0x4000): authtok = 1 (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663112: Preauth module pkinit (147) (info) returned: 0/Success
(Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] (0x4000): Prompt [0][PIV Card Holder pin (PIV_II) PIN]. (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136917: PKINIT client has no configured identity; giving up
(Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136918: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication failed
(Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136919: PKINIT client ignoring draft 9 offer from RFC 4556 KDC
(Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136920: Preauth module pkinit (15) (real) returned: -1765328360/Preauthentication failed
(Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136921: PKINIT client ignoring draft 9 offer from RFC 4556 KDC
(Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136922: Preauth module pkinit (14) (real) returned: -1765328360/Preauthentication failed
(Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] (0x4000): Prompt [0][Password for user@DOMAIN]. (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136923: Preauth module encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password
(Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [get_and_save_tgt] (0x0020): 1702: [-1765328174][Pre-authentication failed: Preauthentication failed] (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [map_krb5_error] (0x0020): 1815: [-1765328174][Pre-authentication failed: Preauthentication failed] (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [k5c_send_data] (0x0200): Received error code 1432158221 (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [pack_response_packet] (0x2000): response packet size: [4] (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [k5c_send_data] (0x4000): Response sent. (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [main] (0x0400): krb5_child completed successfully _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
The PAM config files are the same on both systems, here is the contents auf common-auth
auth [success=2 default=ignore] pam_sss.so forward_pass auth [success=1 default=ignore] pam_unix.so use_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so
I've prepared two tarballs with full logs of both a successful attempt to login on sssd 1.15.1/Ubuntu 16.04 and an unsuccessful attempt on 1.16.1/18.04. I would like to send you these tarballs in private. Can you provide me with an e-mal adress to send to?
To summarize the result of log-investigation by Sumit and further tests by me:
sssd 1.16 introduced a LDAP-query for a user node with a specific certificate and uses the certificate as the search filter. This ldap-query is not RFC-compliant, but OpenLDAP is, so the query fails, if an OpenLDAP server is used as the id provider. It may fail with other RFC-compliant LDAP-Servers. It won't fail with 389-Server as the schema used by this server treats the userCertificate as a simple octet-string.
sssd uses the certificate as an octet-string to match, but the correct syntax of the userCertificate attribute in a user-node is defined in RFC 452 and OpenLDAP delivers a compliant implementation. Here one cannot search for a certificate by simply giving the octets of the certificate as the search-filter. One has to extract issuer and serial-number of the certificate and then search by using a RFC-compliant filter: (userCertificate;binary = { serialNumber 0x...., issuer='CN=..., O=..., ...' }).
I suggest to introduce a configuration flag rfc452 (or something) for sssd.conf which should cause sssd to use a RFC-compliant filter.
sssd-users@lists.fedorahosted.org