Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1704199
Description of problem: Authentication does work, But getting these in /var/log/messages about every 80 seconds: *************/var/log/messages/************** Feb 8 11:53:45 pcscd[]: auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file “/proc/<>/status”: No such file or directory Feb 8 11:53:45 pcscd[]: 00000020 auth.c:137:IsClientAuthorized() Process 10833 (user: 0) is NOT authorized for action: access_pcsc Feb 8 11:53:45 pcscd[]: 00000014 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client Feb 8 11:53:45 pcscd[]: 00000407 auth.c:117:IsClientAuthorized() Error in authorization: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file “/proc/<>/status”: No such file or directory Feb 8 11:53:45 pcscd[]: 00000006 auth.c:137:IsClientAuthorized() Process 10835 (user: 0) is NOT authorized for action: access_pcsc Feb 8 11:53:45 pcscd[]: 00000091 winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client *********************************************** ************Diagnostic Steps******************** 1. Installed polkit rules as mentioned below and done restart, still issue persists. # /usr/share/polkit-1/rules.d/sssd-pcsc.rules // Please put this file in /usr/share/polkit-1/rules.d/ if SSSD is running as // unprivileged user 'sssd' to allow access to the Smartcard via pcscd. polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_card" && subject.user == "sssd") { return polkit.Result.YES; } }); polkit.addRule(function(action, subject) { if (action.id == "org.debian.pcsc-lite.access_pcsc" && subject.user == "sssd") { return polkit.Result.YES; } }); # service polkit restart 2. Tried changing all of the "auth-admin" to "yes" in /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy. But it did not make a difference. ************************************************ **************Workaround*********************** - Created a copy of /etc/krb5.conf, e.g. /etc/krb5.conf.sssd, remove the pkinit_identities lines only in the copy and "KRB5_CONFIG=/etc/krb5.conf.sssd" to /etc/sysconfig/sssd. - This way SSSD and all its sub-processes should read /etc/krb5.conf.sssd instead of /etc/krb5.conf but all other processes in the system should continue to use /etc/krb5.conf. - This way /var/log/messages does not see p11_child rejected message from pcscd. ************************************************* Version-Release number of selected component (if applicable): Red Hat Enterprise Linux 8 sssd-2.0.0-43.el8.x86_64 pcsc-lite-1.8.23-3.el8.x86_64 Smart card reader Bus 003 Device 003: ID 413c:2101 Dell Computer Corp. SmartCard Reader Keyboard How reproducible: All times in Customer's env Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Customer want solution rather than workaround. Additional info:
Metadata Update from @sbose: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1704199
Metadata Update from @sbose: - Issue assigned to sbose
PR: https://github.com/SSSD/sssd/pull/958
Metadata Update from @sbose: - Custom field patch adjusted to on
Metadata Update from @atikhonov: - Issue tagged with: PR
Commit 580d618 relates to this ticket
master: 580d618
Metadata Update from @mzidek: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/5087
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.