Issue #3903: PKINIT with KCM does not work - sssd

SSSD / sssd

#3903 PKINIT with KCM does not work

Closed: Fixed 6 years ago Opened 6 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1658813

Description of problem:
In case of Smart Card authentication, the krb5_child of sssd runs as root in
order to be able to access the pcscd socket and relies on setting the
KRB5CCNAME environment variable to access the ccache on behalf of the user.

However, with KCM, root cannot access another user's ccache, see e.g. this
explanation by MIT krb5 upstream:
https://github.com/krb5/krb5/pull/557#issuecomment-254834623

Therefore we need to obtain the credentials as a user who can talk to pcscd
(typically root) but then drop the privileges to the user who is logging and
and save the credentials to the ccache as that user.

Version-Release number of selected component (if applicable):
up to sssd-2.0-24

How reproducible:
always

Steps to Reproduce:
1. login to an IPA client with a smart card
2. klist
3.

Actual results:
credential cache KCM:$uid not found

Expected results:
a valid credential cache

Additional info:
see e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1441764#c8 or a thread on
freeipa-users titled "smartcard auth + kerberos ticket?" from Nov-15 2018.

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1658813

6 years ago

jhrozek commented 6 years ago

Commit e49e9f7 relates to this ticket

jhrozek commented 6 years ago

master: e49e9f7

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

6 years ago

pbrezina commented 5 years ago

sssd-1-16
- a61b80d - krb5_child: fix permissions during SC auth

Metadata Update from @pbrezina:
- Issue set to the milestone: None (was: SSSD 2.1)

5 years ago

orion commented 5 years ago

So with the 1.16 backport - is this likely to make it into EL7?

atikhonov commented 5 years ago

So with the 1.16 backport - is this likely to make it into EL7?

Yes, it is.

This ticket tracks it: https://bugzilla.redhat.com/show_bug.cgi?id=1781539

orion commented 5 years ago

Thanks for the info!

pbrezina commented 5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4888

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

type

None

component

None

version

None

selected

None

testsupdated

None

patch

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1658813

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#3903 PKINIT with KCM does not work Closed: Fixed 6 years ago Opened 6 years ago by jhrozek.

Metadata

#3903 PKINIT with KCM does not work

Closed: Fixed 6 years ago Opened 6 years ago by jhrozek.