#3949 gdm login not prompting for username when smart card maps to multiple users
Closed: Fixed a year ago by jhrozek. Opened a year ago by sbose.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1672780

Description of problem:

On an IPA Client with a Smart Card certificate mapping properly to two Active
Dictory users, I expected GDM Login prompt to ask for Smart Card pin then the
username hint.  It did not.  It just prompts for password.

Other Smart Card authentication on the client works as expected:

[root@rhel8-2 ~]# su - ipacertmultiuser1@ad.test -c "su -
ipacertmultiuser1@ad.test -c whoami"
PIN for ipauser1-01 (MyEID)

[root@rhel8-2 ~]# su - ipacertmultiuser2@ad.test -c "su -
ipacertmultiuser2@ad.test -c whoami"
PIN for ipauser1-01 (MyEID)

Version-Release number of selected component (if applicable):
# rpm -q sssd gdm authselect ipa-client

How reproducible:

Steps to Reproduce:
1. Setup IPA Server and Client to enable Smart Card authentication
2. Setup Trust with AD and add mapping for cert from card to two AD users
3. Insert card in reader

Actual results:
Prompted for password

Expected results:
expect GDM Login screen to prompt for PIN of card and then the username hint.

Additional info:

In sssd_pam.log I see:

(Tue Feb  5 15:39:21 2019) [sssd[pam]] [pam_forwarder_lookup_by_cert_done]
(0x4000): Found [1] certificates and [2] related users.
(Tue Feb  5 15:39:21 2019) [sssd[pam]] [pam_forwarder_lookup_by_cert_done]
(0x0020): More than one user mapped to certificate.
(Tue Feb  5 15:39:21 2019) [sssd[pam]] [pam_reply] (0x0200): pam_reply called
with result [8]: Insufficient credentials to access authentication data.

Note that if I remove mapping for one of the users, I can login with PIN
prompt.  There is not username hint prompt in that case (as expected).

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1672780

a year ago

Commit 3eb99a1 relates to this ticket

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a year ago

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 2.1
- Issue tagged with: bug

a year ago

Login to comment on this ticket.