#3564 Smartcard authentication fails if SSSD is offline and 'krb5_store_password_if_offline = True'
Closed: Fixed 4 years ago Opened 4 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1503802

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:

Smartcard authentication fails for IPA users if SSSD is offline and
'krb5_store_password_if_offline = True'


Steps to Reproduce:

1) Install as a new RHEL 7.4 Server install using Server with GUI
2) Installed ipa-client and join the workstation to the domain by executing
ipa-client-install
4) Remove pam_pkcs11
5) Install opensc
6) Enabled SSSD authentication and smartcard authentication using "authconfig
--enablesmartcard --smartcardmodule=sssd --enablesssd --enablesssdauth
--updateall
7) Verify that /etc/sssd/sssd.conf contains pam_cert_auth = true under [pam],
and cache_credentials = true under the domain section
7) Restart sssd
8) Restart pcscd
9) Attempt to login to the domain account with username/password from the
console which should be successful
10) Log out
11) Attempt to login to the domain account with username/smartcard and no
password from the console which should be successful
12) Log out
13) Disconnect the network cable or remove connectivity to IPA server
14) Attempt to login to the domain account with username/smartcard and no
password from the console. Will get prompted for a PIN, but then the login
fails.
15) Attempt to login to the domain account with username/password from the
console should get sucessful at this moment
16) Then reconnect the network cable
17) Now attempt to login to the domain account with username/smartcard and no
password from the console will be successful



Actual results:

Attempt in 14th step is getting failed.


Expected results:

Attempt in 14th step also should be successful

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1503802

4 years ago

Metadata Update from @sbose:
- Issue assigned to sbose

4 years ago

Metadata Update from @sbose:
- Custom field patch adjusted to on
- Issue set to the milestone: None

4 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.1
- Issue tagged with: PR, bug

4 years ago

There is a PR and an associated bugzilla, but since we want to release the 1.16.1 tarball as soon as possible, I'm proposing that this ticket is moved to 1.16.2

Metadata Update from @jhrozek:
- Issue tagged with: postpone-to-1-16-2

4 years ago

Metadata Update from @jhrozek:
- Issue priority set to: major

4 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.2 (was: SSSD 1.16.1)

4 years ago

Metadata Update from @jhrozek:
- Issue untagged with: postpone-to-1-16-2

4 years ago

Metadata Update from @lslebodn:
- Issue close_status updated to: Fixed
- Issue set to the milestone: SSSD 1.16.1 (was: SSSD 1.16.2)
- Issue status updated to: Closed (was: Open)

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4588

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata