On Fri, Dec 07, 2018 at 01:09:34PM -0000, [email protected] wrote: > My client has a working setup of sssd/kerberos/ldap utilizing yubikeys and > pkinit as the login mechanism, based on sssd 1.15.2 and Ubuntu 16.04. > > My client wants to advance from Ubuntu 16.04 LTS to Ubuntu 18.04 LTS. A test > installation of the latter with the corresponding sssd-version 1.16.1 does > not allow yubikey-based login, although both kinit and p11_child do see the > yubikey and the certificate on it. Kinit with yubikey does work. > > Analysis of log gives that krb5_child behavior has changed. The function > answer_pkinit is called with kr->pd->cmd set to SSS_PAM_AUTHENTICATE and > kr->pd->authtok set to SSS_AUTHTOK_TYPE_SC_PIN in 1.15.2, but with > kr->pd->cmd set to SSS_PAM_PREAUTH and kr->pd->authtok set to 0 in 1.16.1, > causing the function to skip all pkinit/smarcard-related prompting and > processing. > > Both installations are using the same sssd.conf,krb5.conf etc.
Can you share the full logs with debug_level=9? The behavior you described above is expected and you should see a similar SSS_PAM_PREAUTH step in 1.15.2 as well. The SSS_PAM_PREAUTH is done first, before the user is asked for a PIN or a password to check which authentication methods are available for the user on the KDC. Based on the result the user is prompted and then SSS_PAM_AUTHENTICATE is run. Are you prompted for a PIN or a password with 1.16.1? Is the Kerberos pkinit plugin installed on the system running 1.16.1? Can you check the system log if pcscd says that access is denied for the user trying to log in? bye, Sumit > > How shall we fix this? > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
