#4126 pcscd rejecting sssd ldap_child as unauthorized
Closed: Fixed 4 years ago by mzidek. Opened 4 years ago by sbose.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1704199

Description of problem:
Authentication does work, But getting these in /var/log/messages about every 80
seconds:

*************/var/log/messages/**************
Feb  8 11:53:45  pcscd[]:  auth.c:117:IsClientAuthorized() Error in
authorization:
GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4:
Failed to open file “/proc/<>/status”: No such file or directory
Feb  8 11:53:45  pcscd[]: 00000020 auth.c:137:IsClientAuthorized() Process
10833 (user: 0) is NOT authorized for action: access_pcsc
Feb  8 11:53:45  pcscd[]: 00000014 winscard_svc.c:335:ContextThread() Rejected
unauthorized PC/SC client
Feb  8 11:53:45  pcscd[]: 00000407 auth.c:117:IsClientAuthorized() Error in
authorization:
GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4:
Failed to open file “/proc/<>/status”: No such file or directory
Feb  8 11:53:45  pcscd[]: 00000006 auth.c:137:IsClientAuthorized() Process
10835 (user: 0) is NOT authorized for action: access_pcsc
Feb  8 11:53:45  pcscd[]: 00000091 winscard_svc.c:335:ContextThread() Rejected
unauthorized PC/SC client
***********************************************


************Diagnostic Steps********************
1. Installed polkit rules as mentioned below and done restart, still issue
persists.
# /usr/share/polkit-1/rules.d/sssd-pcsc.rules
// Please put this file in /usr/share/polkit-1/rules.d/ if SSSD is running as
// unprivileged user 'sssd' to allow access to the Smartcard via pcscd.
polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        subject.user == "sssd") {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "sssd") {
            return polkit.Result.YES;
    }
});
# service polkit restart
2. Tried changing all of the "auth-admin" to "yes" in
/usr/share/polkit-1/actions/org.debian.pcsc-lite.policy. But it did not make a
difference.
************************************************


**************Workaround***********************
- Created a copy of /etc/krb5.conf, e.g. /etc/krb5.conf.sssd, remove the
pkinit_identities lines only in the copy and "KRB5_CONFIG=/etc/krb5.conf.sssd"
to /etc/sysconfig/sssd.
- This way SSSD and all its sub-processes should read /etc/krb5.conf.sssd
instead of /etc/krb5.conf but all other processes in the system should continue
to use /etc/krb5.conf.
- This way /var/log/messages does not see p11_child rejected message from
pcscd.
*************************************************


Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux 8
sssd-2.0.0-43.el8.x86_64
pcsc-lite-1.8.23-3.el8.x86_64
Smart card reader
Bus 003 Device 003: ID 413c:2101 Dell Computer Corp. SmartCard Reader Keyboard


How reproducible:
All times in Customer's env

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
Customer want solution rather than workaround.

Additional info:

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1704199

4 years ago

Metadata Update from @sbose:
- Issue assigned to sbose

4 years ago

Metadata Update from @sbose:
- Custom field patch adjusted to on

4 years ago

Metadata Update from @atikhonov:
- Issue tagged with: PR

4 years ago

Commit 580d618 relates to this ticket

Metadata Update from @mzidek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5087

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata