Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1718193
Description of problem: With gdm and sssd configured to require smartcard for login, the GDM login screen does not seem to wait for smart card insertion properly. Instead it switches between messages: "Please enter smart card" and "Sorry, that didn't work. Please try again" After smartcard insertion it works as expected, i.e. requesting and waiting for pin input. Dconf: [org/gnome/login-screen] enable-smartcard-authentication=true enable-password-authentication=false enable-fingerprint-authentication=false /etc/pam.d/smartcard-auth auth required pam_env.so auth sufficient pam_sss.so allow_missing_name require_cert_auth auth required pam_deny.so Version-Release number of selected component (if applicable): sssd-2.0.0-43.el8_0.3.x86_64 How reproducible: Always Steps to Reproduce: 1. Configure required smartcard authentication 2. Boot to GDM login screen without inserting smart card 3. Actual results: Alternating messages: "Please enter smart card" and "Sorry, that didn't work. Please try again" Alternating every 3s. Expected results: Should only display "Please enter smart card" and wait for smart card insertion. Additional info: Debug logs from SSSD: p11_child.log: (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16925]]]] [main] (0x0400): p11_child started. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16925]]]] [main] (0x2000): Running in [pre-auth] mode. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16925]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16925]]]] [main] (0x2000): Running with real IDs [0][0]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16925]]]] [parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling OCSP. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000): Module List: (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000): common name: [p11-kit-trust]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000): Description [/etc/pki/ca-trust/source PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1] removable [false] token present [true]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000): Description [/usr/share/pki/ca-trust-source PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1] removable [false] token present [true]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000): common name: [netid]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000): dll name: [/usr/lib64/libiidp11.so]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000): Description [Alcor Micro AU9560 00 00 Alcor Micro AU9560 00 00 ] Manufacturer [Alcor Micro AU9560 00 00 ] flags [6] removable [true] token present [false]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000): Token not present. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16925]]]] [main] (0x0040): do_work failed. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16925]]]] [main] (0x0020): p11_child failed! (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [main] (0x0400): p11_child started. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [main] (0x2000): Running in [pre-auth] mode. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [main] (0x2000): Running with real IDs [0][0]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling OCSP. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000): Module List: (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000): common name: [p11-kit-trust]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000): Description [/etc/pki/ca-trust/source PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1] removable [false] token present [true]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000): Description [/usr/share/pki/ca-trust-source PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1] removable [false] token present [true]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000): common name: [netid]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000): dll name: [/usr/lib64/libiidp11.so]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000): Description [Alcor Micro AU9560 00 00 Alcor Micro AU9560 00 00 ] Manufacturer [Alcor Micro AU9560 00 00 ] flags [6] removable [true] token present [false]. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000): Token not present. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x0040): C_GetTokenInfo failed. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [main] (0x0040): do_work failed. (Fri Jun 7 10:23:15 2019) [[sssd[p11_child[16929]]]] [main] (0x0020): p11_child failed! sssd_pam.log (Fri Jun 7 10:24:53 2019) [sssd[pam]] [get_client_cred] (0x4000): Client creds: euid[0] egid[0] pid[19419]. (Fri Jun 7 10:24:53 2019) [sssd[pam]] [setup_client_idle_timer] (0x4000): Idle timer re-set for client [0x56009b786e30][27] (Fri Jun 7 10:24:53 2019) [sssd[pam]] [accept_fd_handler] (0x0400): Client connected to privileged pipe! (Fri Jun 7 10:24:53 2019) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received client version [3]. (Fri Jun 7 10:24:53 2019) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered version [3]. (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_cmd_preauth] (0x0100): entering pam_cmd_preauth (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_PREAUTH (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): user: not set (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): service: gdm-smartcard (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/tty1 (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 19419 (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): logon name: not set (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): flags: 320 (Fri Jun 7 10:24:53 2019) [sssd[pam]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [19423] (Fri Jun 7 10:24:53 2019) [sssd[pam]] [child_handler_setup] (0x2000): Signal handler set up for pid [19423] (Fri Jun 7 10:24:53 2019) [sssd[pam]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri Jun 7 10:24:53 2019) [sssd[pam]] [parse_p11_child_response] (0x1000): No certificate found. (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020): No certificate found and no logon name given, authentication not possible. (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [10]: User not known to the underlying authentication module. (Fri Jun 7 10:24:53 2019) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_reply] (0x0200): blen: 8 (Fri Jun 7 10:24:53 2019) [sssd[pam]] [child_sig_handler] (0x1000): Waiting for child [19423]. (Fri Jun 7 10:24:53 2019) [sssd[pam]] [child_sig_handler] (0x0020): child [19423] failed with status [1]. (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_cmd_preauth] (0x0100): entering pam_cmd_preauth (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): command: SSS_PAM_PREAUTH (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): domain: not set (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): user: not set (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): service: gdm-smartcard (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): tty: /dev/tty1 (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): ruser: not set (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): rhost: not set (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): authtok type: 0 (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 19419 (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): logon name: not set (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): flags: 576 (Fri Jun 7 10:24:53 2019) [sssd[pam]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [19427] (Fri Jun 7 10:24:53 2019) [sssd[pam]] [child_handler_setup] (0x2000): Signal handler set up for pid [19427] (Fri Jun 7 10:24:53 2019) [sssd[pam]] [read_pipe_handler] (0x0400): EOF received, client finished (Fri Jun 7 10:24:53 2019) [sssd[pam]] [parse_p11_child_response] (0x1000): No certificate found. (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020): No certificate found and no logon name given, authentication not possible. (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [10]: User not known to the underlying authentication module. (Fri Jun 7 10:24:53 2019) [sssd[pam]] [filter_responses] (0x0100): [pam_response_filter] not available, not fatal. (Fri Jun 7 10:24:53 2019) [sssd[pam]] [pam_reply] (0x0200): blen: 8 (Fri Jun 7 10:24:53 2019) [sssd[pam]] [child_sig_handler] (0x1000): Waiting for child [19427]. (Fri Jun 7 10:24:53 2019) [sssd[pam]] [child_sig_handler] (0x0020): child [19427] failed with status [1]. (Fri Jun 7 10:24:53 2019) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Fri Jun 7 10:24:53 2019) [sssd[pam]] [client_close_fn] (0x2000): Terminated client [0x56009b786e30][27] And repeated every 3s.
Metadata Update from @sbose: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1718193
Metadata Update from @sbose: - Issue assigned to sbose
PR: https://github.com/SSSD/sssd/pull/991
Commit 37780b8 fixes this issue
Commit 7b64733 fixes this issue
master
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/5114
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.