#3949 gdm login not prompting for username when smart card maps to multiple users
Closed: Fixed 2 years ago by jhrozek. Opened 2 years ago by sbose.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1672780

Description of problem:

On an IPA Client with a Smart Card certificate mapping properly to two Active
Dictory users, I expected GDM Login prompt to ask for Smart Card pin then the
username hint.  It did not.  It just prompts for password.

Other Smart Card authentication on the client works as expected:

[root@rhel8-2 ~]# su - ipacertmultiuser1@ad.test -c "su -
ipacertmultiuser1@ad.test -c whoami"
PIN for ipauser1-01 (MyEID)

[root@rhel8-2 ~]# su - ipacertmultiuser2@ad.test -c "su -
ipacertmultiuser2@ad.test -c whoami"
PIN for ipauser1-01 (MyEID)

Version-Release number of selected component (if applicable):
# rpm -q sssd gdm authselect ipa-client

How reproducible:

Steps to Reproduce:
1. Setup IPA Server and Client to enable Smart Card authentication
2. Setup Trust with AD and add mapping for cert from card to two AD users
3. Insert card in reader

Actual results:
Prompted for password

Expected results:
expect GDM Login screen to prompt for PIN of card and then the username hint.

Additional info:

In sssd_pam.log I see:

(Tue Feb  5 15:39:21 2019) [sssd[pam]] [pam_forwarder_lookup_by_cert_done]
(0x4000): Found [1] certificates and [2] related users.
(Tue Feb  5 15:39:21 2019) [sssd[pam]] [pam_forwarder_lookup_by_cert_done]
(0x0020): More than one user mapped to certificate.
(Tue Feb  5 15:39:21 2019) [sssd[pam]] [pam_reply] (0x0200): pam_reply called
with result [8]: Insufficient credentials to access authentication data.

Note that if I remove mapping for one of the users, I can login with PIN
prompt.  There is not username hint prompt in that case (as expected).

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1672780

2 years ago

Commit 3eb99a1 relates to this ticket

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @jhrozek:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 2.1
- Issue tagged with: bug

2 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4927

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.