It does look like p11_child does not like some of our smart cards. On the cards that p11 returns the cert, console login is still just prompting for a password. I'm not sure if our pam files are configured correctly now.

I am also getting this in /var/log/syslog

May  2 15:32:49 admin-test-ubuntu16 kernel: [ 7165.697158] audit: type=1400 audit(1556829169.218:1137): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/etc/pki/nssdb/secmod.db" pid=4463 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

May  2 15:32:49 admin-test-ubuntu16 kernel: [ 7165.697985] audit: type=1400 audit(1556829169.218:1138): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/etc/pki/nssdb/cert8.db" pid=4463 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

May  2 15:32:49 admin-test-ubuntu16 kernel: [ 7165.698062] audit: type=1400 audit(1556829169.218:1139): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/etc/pki/nssdb/key3.db" pid=4463 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

May  2 15:32:49 admin-test-ubuntu16 kernel: [ 7165.699304] audit: type=1400 audit(1556829169.218:1140): apparmor="ALLOWED" operation="open" profile="/usr/sbin/sssd" name="/etc/opensc/opensc.conf" pid=4463 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

May  2 15:32:49 admin-test-ubuntu16 kernel: [ 7165.701411] audit: type=1400 audit(1556829169.222:1141): apparmor="ALLOWED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=4463 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0

May  2 15:32:49 admin-test-ubuntu16 systemd[1]: Started PC/SC Smart Card Daemon.

May  2 15:32:49 admin-test-ubuntu16 pcscd[4464]: 00000000 ifdhandler.c:144:CreateChannelByNameOrChannel() failed

May  2 15:32:49 admin-test-ubuntu16 pcscd[4464]: 00000696 readerfactory.c:1043:RFInitializeReader() Open Port 0x200000 Failed (usb:0a5c/5800:libudev:0:/dev/bus/usb/005/002)

May  2 15:32:49 admin-test-ubuntu16 pcscd[4464]: 00000588 readerfactory.c:335:RFAddReader() Broadcom Corp 5880 [Broadcom USH] (0123456789ABCD) init failed.

May  2 15:32:50 admin-test-ubuntu16 kernel: [ 7166.497839] audit: type=1400 audit(1556829170.022:1142): apparmor="ALLOWED" operation="file_perm" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=4463 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

May  2 15:32:50 admin-test-ubuntu16 kernel: [ 7166.497850] audit: type=1400 audit(1556829170.022:1143): apparmor="ALLOWED" operation="file_perm" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=4463 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

May  2 15:32:56 admin-test-ubuntu16 kernel: [ 7173.374477] sssd_pam[4182]: segfault at 0 ip 00000000004128c8 sp 00007ffd01ee4d60 error 4 in sssd_pam[400000+20000]

Hi,

the PAM configuration looks ok at the first glance.

The last line from /var/log/syslog indicates that sssd_pam crashes. Is there a coredump? Can you create a backtrace with gdb and attach it to the ticket?

bye,
Sumit

# gdb /usr/lib/x86_64-linux-gnu/sssd/sssd_pam ./CoreDump 
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib/x86_64-linux-gnu/sssd/sssd_pam...(no debugging symbols found)...done.
[New LWP 2798]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00000000004128c8 in ?? ()
(gdb) bt
#0  0x00000000004128c8 in ?? ()
#1  0x0000000000412efb in ?? ()
#2  0x0000000000413f4c in ?? ()
#3  0x0000000000414045 in ?? ()
#4  0x00000000004095df in ?? ()
#5  0x0000000000409ca6 in ?? ()
#6  0x00007f27b9f4bf79 in ?? () from /usr/lib/x86_64-linux-gnu/sssd/libsss_child.so
#7  0x00007f27bb692613 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#8  0x00007f27bb690b57 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#9  0x00007f27bb68cd3d in _tevent_loop_once () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#10 0x00007f27bb68cedb in tevent_common_loop_wait () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#11 0x00007f27bb690af7 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#12 0x00007f27ba59c073 in server_loop () from /usr/lib/x86_64-linux-gnu/sssd/libsss_util.so
#13 0x0000000000405199 in ?? ()
#14 0x00007f27b9b7ab97 in __libc_start_main (main=0x404570, argc=6, argv=0x7ffd84241188, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7ffd84241178) at ../csu/libc-start.c:310
#15 0x0000000000405279 in ?? ()

I can attach the coredump itself if needed.

The debugging symbols are missing on your system. https://wiki.ubuntu.com/Debug%20Symbol%20Packages explains how you can install them. If this is not possible, please attach the coredump.

Attached is the CoreDump.

We did try to install the dbgsym for our version of sssd-common, but there was not a version available for our sssd-common package. We're currently on sssd-common_1.13.4-1ubuntu1.12

Hi,

can you send the output of

certutil -L -d /etc/pki/nssdb -h all

when the Smartcard is inserted? The command will ask for the PIN.

bye,
Sumit

Hello Summit,

So after seeing the newer 13 release on Ubuntu, we've updated so we would be able to get the debug symbols. We had our steps scripted out so we had the desired configuration every time. We're now getting the following with realm joining, in which we do the following:

We kinit our service ad join account to obtain kerberos tgt.

We realm join without declaring a user to use the tgt.

It goes through most of the computer account creation process but has the following errors:
Insufficient permissions to set encryption types on computer account (problem 4003 INSUFF_ACCESS_RIGHTS)

Couldn't set operatingSystem, operatingSystemVersion, operatingSystemServicePack on Computer Account: Insufficient Access

Couldn't authenticate with keytab while discovering which salt to use: HOSTNAME$DOMAIN. Client 'HOSTNAME$@DOMAIN' not found in Kerberos database.

Then it says 'Successfully enrolled in realm'. We can see the computer object. But I cannot id any user, retrieve any userCertificates, etc. We also have RHEL 7.6 boxes that we do a similar process with and they do not have this issue, using the same ad join account into the same ou. Could this be an issue with the sssd-krb5 libraries?

I can open a separate ticket for this and close this one for now since the version has changed. Please let me know how to proceed.

Hi,

please try

realm leave
kinit your_join_user
realm join --membership-software=samba .....

This will use Samba's net utility to join instead of adcli, you might have to install the package which contains the net utility. It will only use the Samba utility to join but will configure SSSD to do user lookups and authentication.

There is an issue in adcli when using users with have only permission to join a host. Fixes are upstream (https://gitlab.freedesktop.org/realmd/adcli/merge_requests/3) and available in RHEL (although RHEL7 uses net be default).

HTH

bye,
Sumit

Hello, thank you Sumit. I've done the following:
kinit ad-join.svc
realm join -v --membership-software=samba --computer-ou="OU=pathtoou,DC=domain" DOMAIN

and I am now seeing the long, generated /usr/bin/net -s join line then,
Failed to initialize kerberos context! (Invalid argument)
Failed to join domain: failed to lookup DC info for domain 'DOMAIN' over rpc: Memory allocation error.

I have also confirmed samba-common-bin is installed.

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4971

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.