#3848 pam_unix unable to match fully qualified username provided by sssd during smartcard auth using gdm
Closed: Fixed 3 years ago Opened 3 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla: Bug 1637131

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

This is a special case for Smartcard authentication for local users with GDM
where the GDM Samrtcard feature is used (prompt directly for a PIN if a
Smartcard is inserted). In this case it is up to SSSD to determine the user
name based on the Samrtcard mapping. There is a longer comment about this in
add_pam_cert_response(). Currently SSSD always returns a fully-qualified name
and pam_sss puts this on the PAM stack as PAM_USER for other PAM modules.

This works fine as long as the user if completely handled by SSSD. But for
local users pam_unix should be able to find them as well, especially during
acct_mgmt.

I guess a is_files_provider() check in add_pam_cert_response() so the short
names are returned if the files provider is used should help help.


Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1637131

3 years ago

Metadata Update from @jhrozek:
- Issue priority set to: major
- Issue tagged with: bug

3 years ago

Metadata Update from @sbose:
- Issue assigned to sbose

3 years ago

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Commit dbd717f relates to this ticket

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4841

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata