Learn more about these different git repos.
When using a userCertificate following instructions https://fy.blackhats.net.au/blog/html/2018/02/27/smartcards_and_you_how_to_make_them_work_on_fedora_rhel.html (except AD, not ldap). The userCertificate is not able to be accessed if the backend provider is offline.
This manfests in two ways. After a reboot, the provider requests a password, even if the CCID is connected. (not the pin for CCID auth)
# opensc-tool -l
# Detected readers (pcsc)
Nr. Card Features Name
0 No Alcor Micro AU9560 00 00
1 Yes Yubico Yubikey 4 OTP+U2F+CCID 01 00
If you move from online to offline IE suspend/resume, SSSD will infinite loop and will cause GDM to hang indefinitely.
This is rather easy to reproduce give the configuration.
sssd-1.16.2-1.1.x86_64 openSUSE tumbleweed
So far we agreed to fix this in the 2.x branch and backport later. Thank you for the bug report.
Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1
to comment on this ticket.