#3385 Smart card login fails if same cert mapped to IdM user and AD user
Closed: Fixed 6 years ago Opened 6 years ago by sbose.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1445445

Description of problem:

Configure IPA with an AD trust, then add the same smart card certificate to a
user defined in IdM and to a different user defined in AD. Console login with
the Smart Card fails.
If the certificate is mapped only to the AD user, console login succeeds.

Version-Release number of selected component (if applicable):
ipa-server 4.5.0-6.el7
sssd 1.15.2-15.el7

How reproducible:


Steps to Reproduce:
1. Configure ipa server with ipa-server-install
2. Prepare the server with ipa-adtrust-install
3. Add the AD trust ipa trust-add --type=ad domain-ad.com --admin Administrator
--password --two-way=true
4. Add the smart card cert to an ipa user
kinit admin
CERT=`cat cert.pem | tail -n +2 | head -n -1 | tr -d '\r\n'`
ipa user-add idmuser --first idmuser --last idmuser --certificate $CERT
5. Add the same smart card cert to an AD user bob
6. Check that the cert is mapped to both user
ipa certmap-match cert.pem
---------------
2 users matched
---------------
  Domain: domain-ad.com
  User logins: bob

  Domain: DOMAIN-IDM.COM
  User logins: idmuser
----------------------------
Number of entries returned 2
----------------------------
7. Try to login to the console using the smart card (DOMAIN-AD\bob)


Actual results:
The login console does not prompt for the sc pin but rather for the password.


Expected results:
The login console should prompt for the smart card pin

Additional info:
If the certificate is removed from the idmuser entry, then the smart card login
is successful.

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1445445

6 years ago

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1445445

6 years ago

Metadata Update from @sbose:
- Issue assigned to sbose

6 years ago

Metadata Update from @sbose:
- Custom field patch adjusted to on
- Issue set to the milestone: None

6 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.15.3

6 years ago

Metadata Update from @jhrozek:
- Issue priority set to: major

6 years ago

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4412

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata