#3797 When AD provider is offline, usercertmap fails

Created 10 days ago by firstyear
Modified 10 days ago

When using a userCertificate following instructions https://fy.blackhats.net.au/blog/html/2018/02/27/smartcards_and_you_how_to_make_them_work_on_fedora_rhel.html (except AD, not ldap). The userCertificate is not able to be accessed if the backend provider is offline.

This manfests in two ways. After a reboot, the provider requests a password, even if the CCID is connected. (not the pin for CCID auth)

# opensc-tool -l    
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    No              Alcor Micro AU9560 00 00
1    Yes             Yubico Yubikey 4 OTP+U2F+CCID 01 00

If you move from online to offline IE suspend/resume, SSSD will infinite loop and will cause GDM to hang indefinitely.

This is rather easy to reproduce give the configuration.

sssd-1.16.2-1.1.x86_64 openSUSE tumbleweed

Login to comment on this ticket.