#4159 p11_child should have an option to skip C_WaitForSlotEvent if the PKCS#11 module does not implement it properly
Closed: Fixed 4 years ago by pbrezina. Opened 4 years ago by sbose.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1718193

Description of problem:
With gdm and sssd configured to require smartcard for login, the GDM login
screen does not seem to wait for smart card insertion properly. Instead it
switches between messages:
"Please enter smart card"
and
"Sorry, that didn't work. Please try again"

After smartcard insertion it works as expected, i.e. requesting and waiting for
pin input.

Dconf:
[org/gnome/login-screen]
enable-smartcard-authentication=true
enable-password-authentication=false
enable-fingerprint-authentication=false

/etc/pam.d/smartcard-auth
auth        required                                     pam_env.so
auth        sufficient                                   pam_sss.so
allow_missing_name require_cert_auth
auth        required                                     pam_deny.so



Version-Release number of selected component (if applicable):
sssd-2.0.0-43.el8_0.3.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure required smartcard authentication
2. Boot to GDM login screen without inserting smart card
3.

Actual results:
Alternating messages:
"Please enter smart card"
and
"Sorry, that didn't work. Please try again"
Alternating every 3s.

Expected results:
Should only display "Please enter smart card" and wait for smart card
insertion.

Additional info:

Debug logs from SSSD:

p11_child.log:
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16925]]]] [main] (0x0400):
p11_child started.
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16925]]]] [main] (0x2000): Running
in [pre-auth] mode.
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16925]]]] [main] (0x2000): Running
with effective IDs: [0][0].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16925]]]] [main] (0x2000): Running
with real IDs [0][0].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16925]]]] [parse_cert_verify_opts]
(0x4000): Found 'no_ocsp' option, disabling OCSP.
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000):
Module List:
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000):
common name: [p11-kit-trust].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000): dll
name: [/usr/lib64/pkcs11/p11-kit-trust.so].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000):
Description [/etc/pki/ca-trust/source
PKCS#11 Kit                     ] Manufacturer [PKCS#11 Kit
] flags [1] removable [false] token present [true].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000):
Description [/usr/share/pki/ca-trust-source
PKCS#11 Kit                     ] Manufacturer [PKCS#11 Kit
] flags [1] removable [false] token present [true].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000):
common name: [netid].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000): dll
name: [/usr/lib64/libiidp11.so].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000):
Description [Alcor Micro AU9560 00 00
Alcor Micro AU9560 00 00        ] Manufacturer [Alcor Micro AU9560 00 00
] flags [6] removable [true] token present [false].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16925]]]] [do_card] (0x4000): Token
not present.
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16925]]]] [main] (0x0040): do_work
failed.
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16925]]]] [main] (0x0020):
p11_child failed!
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [main] (0x0400):
p11_child started.
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [main] (0x2000): Running
in [pre-auth] mode.
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [main] (0x2000): Running
with effective IDs: [0][0].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [main] (0x2000): Running
with real IDs [0][0].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [parse_cert_verify_opts]
(0x4000): Found 'no_ocsp' option, disabling OCSP.
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000):
Module List:
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000):
common name: [p11-kit-trust].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000): dll
name: [/usr/lib64/pkcs11/p11-kit-trust.so].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000):
Description [/etc/pki/ca-trust/source
PKCS#11 Kit                     ] Manufacturer [PKCS#11 Kit
] flags [1] removable [false] token present [true].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000):
Description [/usr/share/pki/ca-trust-source
PKCS#11 Kit                     ] Manufacturer [PKCS#11 Kit
] flags [1] removable [false] token present [true].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000):
common name: [netid].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000): dll
name: [/usr/lib64/libiidp11.so].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000):
Description [Alcor Micro AU9560 00 00
Alcor Micro AU9560 00 00        ] Manufacturer [Alcor Micro AU9560 00 00
] flags [6] removable [true] token present [false].
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x4000): Token
not present.
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [do_card] (0x0040):
C_GetTokenInfo failed.
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [main] (0x0040): do_work
failed.
(Fri Jun  7 10:23:15 2019) [[sssd[p11_child[16929]]]] [main] (0x0020):
p11_child failed!



sssd_pam.log
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [get_client_cred] (0x4000): Client
creds: euid[0] egid[0] pid[19419].
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [setup_client_idle_timer] (0x4000): Idle
timer re-set for client [0x56009b786e30][27]
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [accept_fd_handler] (0x0400): Client
connected to privileged pipe!
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [sss_cmd_get_version] (0x0200): Received
client version [3].
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [sss_cmd_get_version] (0x0200): Offered
version [3].
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_cmd_preauth] (0x0100): entering
pam_cmd_preauth
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): command:
SSS_PAM_PREAUTH
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): domain: not
set
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): user: not set
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): service:
gdm-smartcard
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/tty1
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): ruser: not
set
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): rhost: not
set
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): authtok type:
0
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
type: 0
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
19419
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): logon name:
not set
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): flags: 320
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [child_handler_setup] (0x2000): Setting
up signal handler up for pid [19423]
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [child_handler_setup] (0x2000): Signal
handler set up for pid [19423]
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [read_pipe_handler] (0x0400): EOF
received, client finished
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [parse_p11_child_response] (0x1000): No
certificate found.
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020): No
certificate found and no logon name given, authentication not possible.
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_reply] (0x0200): pam_reply called
with result [10]: User not known to the underlying authentication module.
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [filter_responses] (0x0100):
[pam_response_filter] not available, not fatal.
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_reply] (0x0200): blen: 8
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [child_sig_handler] (0x1000): Waiting
for child [19423].
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [child_sig_handler] (0x0020): child
[19423] failed with status [1].
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_cmd_preauth] (0x0100): entering
pam_cmd_preauth
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): command:
SSS_PAM_PREAUTH
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): domain: not
set
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): user: not set
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): service:
gdm-smartcard
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): tty:
/dev/tty1
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): ruser: not
set
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): rhost: not
set
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): authtok type:
0
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): newauthtok
type: 0
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): priv: 1
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): cli_pid:
19419
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): logon name:
not set
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_print_data] (0x0100): flags: 576
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [child_handler_setup] (0x2000): Setting
up signal handler up for pid [19427]
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [child_handler_setup] (0x2000): Signal
handler set up for pid [19427]
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [read_pipe_handler] (0x0400): EOF
received, client finished
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [parse_p11_child_response] (0x1000): No
certificate found.
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020): No
certificate found and no logon name given, authentication not possible.
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_reply] (0x0200): pam_reply called
with result [10]: User not known to the underlying authentication module.
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [filter_responses] (0x0100):
[pam_response_filter] not available, not fatal.
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [pam_reply] (0x0200): blen: 8
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [child_sig_handler] (0x1000): Waiting
for child [19427].
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [child_sig_handler] (0x0020): child
[19427] failed with status [1].
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [client_recv] (0x0200): Client
disconnected!
(Fri Jun  7 10:24:53 2019) [sssd[pam]] [client_close_fn] (0x2000): Terminated
client [0x56009b786e30][27]


And repeated every 3s.

Metadata Update from @sbose:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1718193

4 years ago

Metadata Update from @sbose:
- Issue assigned to sbose

4 years ago
  • master
    • 37780b8 - PAM client: only require UID 0 for private socket
    • 7b64733 - p11_child: check if card is present in wait_for_car

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5114

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata