#3797 When AD provider is offline, usercertmap fails
Opened 6 months ago by firstyear. Modified 4 months ago

When using a userCertificate following instructions https://fy.blackhats.net.au/blog/html/2018/02/27/smartcards_and_you_how_to_make_them_work_on_fedora_rhel.html (except AD, not ldap). The userCertificate is not able to be accessed if the backend provider is offline.

This manfests in two ways. After a reboot, the provider requests a password, even if the CCID is connected. (not the pin for CCID auth)

# opensc-tool -l    
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    No              Alcor Micro AU9560 00 00
1    Yes             Yubico Yubikey 4 OTP+U2F+CCID 01 00

If you move from online to offline IE suspend/resume, SSSD will infinite loop and will cause GDM to hang indefinitely.

This is rather easy to reproduce give the configuration.

sssd-1.16.2-1.1.x86_64 openSUSE tumbleweed

So far we agreed to fix this in the 2.x branch and backport later. Thank you for the bug report.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1

5 months ago

Hi @firstyear,

I cannot reproduce the issue with a current version of SSSD. Tumbleweed now has SSSD-2.0, do you still see this the issue with recent version of Tumbleweed? If that's the case, can you attach logs?


Login to comment on this ticket.