Learn more about these different git repos.
Other Git URLs
Some of the administrative applications allow elevate privileges for administrative tasks using polkit (for example systemctl). This makes it convenient when one forgots to write sudo in front of the command. Even though all of the other prompts (sudo, gdm login), are configured to allow smart card authentication, this path does not.
I am not sure whether all the changes needed will be just a configuration, some new authselect rules or there would be actually more changes needed in sssd, polkit, pam configuration or elsewhere.
Hi Jakub,
thanks for raising the issue. It looks like I just forgot about polkit as a local application. Can you try if adding
pam_p11_allowed_services = +polkit-1
to the [pam] section of sssd.conf will make polkit ask for a PIN as well?
bye, Sumit
I just tried that and without any success. I also added the polkit-1 to the services in [sssd] section, but I am not sure if it is right:
polkit-1
services
[sssd]
services = nss, pam, sudo, polkit-1
in /var/log/sssd/sssd_pam.log I can see the following:
/var/log/sssd/sssd_pam.log
(Mon Nov 11 18:00:21 2019) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [jjelen] added to PAM initgroup cache (Mon Nov 11 18:00:21 2019) [sssd[pam]] [may_do_cert_auth] (0x0020): Smartcard authentication for service [polkit-1] not supported. (Mon Nov 11 18:00:21 2019) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:
Not sure what more might need to be done.
I am on Fedora 31 (where update from Fedora 30 broke the gdm login btw -- not sure if rerunning the authselect fixed things, but if not, I guess that will be for different issue). Sudo works fine.
Hi,
the services option is not the right one, pam_p11_allowed_services = +polkit-1 works for me, are you sure you've added it to the [pam] section?
Can you attache sssd.conf and sssd_pam.log with debug_level = 9 in the [pam] section of sssd.conf?
debug_level = 9
You are right. Yesterday, I probably forgot to restart sssd before trying (or the services option was conflicting?). Now it works as a charm. Thank you for the help.
sssd
Is there something else I can do, or are you going to update defaults in sssd to accept also this one?
Thanks for the feedback.
Yes, polkit-1 should be added default_sc_services in get_sc_services. I'll keep this ticket open to track this. Please let me know if you would like to send a PR to https://github.com/SSSD/sssd/.
default_sc_services
get_sc_services
Filled as https://github.com/SSSD/sssd/pull/942
FYI, the issues with gdm login I was describing earlier got resolved by itself with reboot and now work just fine.
Great, thank for the feedback and the patch. So this ticket will be closed when the patch is commited.
master
Metadata Update from @pbrezina: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/5076
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.