Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1445445
Description of problem: Configure IPA with an AD trust, then add the same smart card certificate to a user defined in IdM and to a different user defined in AD. Console login with the Smart Card fails. If the certificate is mapped only to the AD user, console login succeeds. Version-Release number of selected component (if applicable): ipa-server 4.5.0-6.el7 sssd 1.15.2-15.el7 How reproducible: Steps to Reproduce: 1. Configure ipa server with ipa-server-install 2. Prepare the server with ipa-adtrust-install 3. Add the AD trust ipa trust-add --type=ad domain-ad.com --admin Administrator --password --two-way=true 4. Add the smart card cert to an ipa user kinit admin CERT=`cat cert.pem | tail -n +2 | head -n -1 | tr -d '\r\n'` ipa user-add idmuser --first idmuser --last idmuser --certificate $CERT 5. Add the same smart card cert to an AD user bob 6. Check that the cert is mapped to both user ipa certmap-match cert.pem --------------- 2 users matched --------------- Domain: domain-ad.com User logins: bob Domain: DOMAIN-IDM.COM User logins: idmuser ---------------------------- Number of entries returned 2 ---------------------------- 7. Try to login to the console using the smart card (DOMAIN-AD\bob) Actual results: The login console does not prompt for the sc pin but rather for the password. Expected results: The login console should prompt for the smart card pin Additional info: If the certificate is removed from the idmuser entry, then the smart card login is successful.
Metadata Update from @sbose: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1445445
Metadata Update from @sbose: - Issue assigned to sbose
Metadata Update from @sbose: - Custom field patch adjusted to on - Issue set to the milestone: None
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.15.3
Metadata Update from @jhrozek: - Issue priority set to: major
Metadata Update from @jhrozek: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4412
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.