#4103 slow smartcard interactions break sssd when PKINIT is configured
Opened 4 months ago by ralston. Modified 4 months ago

I am struggling to get smartcard authentication working on RHEL7, using sssd-1.16.4-21.el7 and krb5 PKINIT against Microsoft Active Directory KDCs.

When PKINIT is correctly configured in krb5.conf, multiple code paths in sssd wind up attempting to interact with the smartcard reader, including probing any inserted card.

This is a problem, because some reader/card combinations are slow enough to trigger internal timeouts in sssd.

For example, if you connect an SCM Microsystems SCR 3310 reader, and insert a CAC into it, sssd spends so long attempting to interact with the card that it completely breaks, reporting:

(Fri Oct 18 14:07:51 2019) [sssd[be[example.org]]] [dp_req_reply_std] (0x1000): DP Request [Subdomains #0]: Returning [Provider is Offline]: 1,1432158212,Offline

First, I would argue this is a bug. The provider didn't time out; sssd mistakenly thought it did because it failed to distinguish the time waiting for the provider versus the time it spent attempting to interact with the CAC.

Second, why is sssd attempting to interact with the card at startup? Or, for that matter, at any other time than when a PKINIT-eligible PAM service is called?

To avoid this, I had to apply these settings for the domain:

ldap_search_timeout = 60
ldap_network_timeout = 60
ldap_opt_timeout = 60

But again, I shouldn't have to do this. Running getent passwd foo shouldn't take 30 seconds (I timed it) versus a fraction of a second just because there is a smartcard inserted in the reader.

Is this an issue that has been addressed in later versions of sssd? sssd-1.16.4-21.el7 is pretty old at this point, I know, but I am stuck with RHEL7; I cannot move to RHEL8 yet.

Thanks.


Hi,

I assume you have set pkinit_identities in your /etc/krb5.conf, in this case a related issues was reported in https://bugzilla.redhat.com/show_bug.cgi?id=1704199 as well.

The reason is that SSSD's helper program ldap_child uses the given Kerberos configuration to request a ticket to access the LDAP service. With pkinit_identities set and krb5-pkinit installed libkkrb5 will check if PKINIT is available.

This is currently not fixed in any version, but as a workaround you can either remove pkinit_identities from /etc/krb5.conf. Or if you prefer to keep it to make manually kinit more easy you can run SSSD with an individual Kerberos configuration. For this

  • copy /etc/krb5.conf to e.g. /etc/krb5.conf.sss and remove pkinit_identities from the copy
  • add KRB5_CONFIG=/etc/krb5.conf.sssd to /etc/sysconfig/sssd
  • restart SSSD

HTH

bye,
Sumit

Login to comment on this ticket.

Metadata