#3797 When AD provider is offline, usercertmap fails
Closed: worksforme 4 months ago by jhrozek. Opened 10 months ago by firstyear.

When using a userCertificate following instructions https://fy.blackhats.net.au/blog/html/2018/02/27/smartcards_and_you_how_to_make_them_work_on_fedora_rhel.html (except AD, not ldap). The userCertificate is not able to be accessed if the backend provider is offline.

This manfests in two ways. After a reboot, the provider requests a password, even if the CCID is connected. (not the pin for CCID auth)

# opensc-tool -l    
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    No              Alcor Micro AU9560 00 00
1    Yes             Yubico Yubikey 4 OTP+U2F+CCID 01 00

If you move from online to offline IE suspend/resume, SSSD will infinite loop and will cause GDM to hang indefinitely.

This is rather easy to reproduce give the configuration.

sssd-1.16.2-1.1.x86_64 openSUSE tumbleweed

So far we agreed to fix this in the 2.x branch and backport later. Thank you for the bug report.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1

9 months ago

Hi @firstyear,

I cannot reproduce the issue with a current version of SSSD. Tumbleweed now has SSSD-2.0, do you still see this the issue with recent version of Tumbleweed? If that's the case, can you attach logs?


I'm going to close this issue since there was no reply for 4 months. Please reopen later if this ticket is still valid.

Metadata Update from @jhrozek:
- Issue close_status updated to: worksforme
- Issue status updated to: Closed (was: Open)

4 months ago

Login to comment on this ticket.