On Fri, Dec 07, 2018 at 05:00:43PM -0000, tallinn1...@yahoo.de wrote: > There is no entry in the syslogs of pcscd whatsoever. It is installed though. > p11_child --pre ... does read the certificate from the yubikey. > > I missed that krb5_child is called twice upon a single login attempt. > Comparing the log of krb5_child between 1.15.2 and 1.16.1 shows that the > tokentype is different: SSS_AUTHTOK_TYPE_SC_PIN in 1.15.2, > SSS_AUTHTOK_TYPE_PASSWORD in 1.16.1. > > I am prompted for a password in 1.16.1.
Maybe another PAM module asks for a password before pam_sss can ask for the PIN. Can you send or compare the PAM configuration on both systems? bye, Sumit > > The krb5-pkinit package is installed. kinit utilzes the yubikey. > > The following is krb5_child.log for a failed login attempt. I have inserted > trace-output about cmd and tokentype in answer_pkinit. > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [main] (0x0400): > krb5_child started. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [unpack_buffer] > (0x1000): total buffer size: [146] > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [unpack_buffer] > (0x0100): cmd [249] uid [3034] gid [3001] validate [false] enterprise > principal [false] offline [false] UPN [user@DOMAIN] > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_3034_XXXXXX] old_ccname: > [FILE:/tmp/krb5cc_3034_XXXXXX] keytab: [/etc/krb5.keytab] > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [check_use_fast] > (0x0100): Not using FAST. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [become_user] > (0x0200): Trying to become user [3034][3001]. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [main] (0x2000): > Running as [3034][3001]. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [become_user] > (0x0200): Trying to become user [3034][3001]. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [become_user] > (0x0200): Already user [3034]. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [k5c_setup] (0x2000): > Running as [3034][3001]. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [set_lifetime_options] > (0x0100): No specific renewable lifetime requested. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [set_lifetime_options] > (0x0100): No specific lifetime requested. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [set_canonicalize_option] (0x0100): Canonicalization is set to [false] > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [main] (0x0400): Will > perform pre-auth > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [DOMAIN] > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570173: Getting > initial credentials for user@DOMAIN > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570175: Sending > unauthenticated request > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570176: Sending > request (174 bytes) to DOMAIN > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570177: Sending > initial UDP request to dgram 10.36.125.234:88 > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570178: Received > answer (364 bytes) from dgram 10.36.125.234:88 > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570179: Response was > from master KDC > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570180: Received error > from KDC: -1765328359/Additional pre-authentication required > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570183: > Preauthenticating using KDC method data > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570184: Processing > preauth types: 16, 15, 14, 136, 19, 147, 2, 133 > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570185: Selected etype > info: etype aes256-cts, salt "DOMAINuser", params "" > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570186: Received > cookie: MIT > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_responder] > (0x4000): Got question [pkinit]. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [answer_pkinit] > (0x4000): [0] Identity > [PKCS11:module_name=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so:slotid=0:token=PIV > Card Holder pin (PIV_II)] flags [0]. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [answer_pkinit] > (0x4000): Setting pkinit_prompting. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [answer_pkinit] > (0x4000): cmd = 249 > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [answer_pkinit] > (0x4000): authtok = 0 > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570187: Preauth module > pkinit (147) (info) returned: 0/Success > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] > (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] > EINVAL. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] > (0x4000): Prompt [0][PIV Card Holder pin (PIV_II) PIN]. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] > (0x0020): Cannot handle password prompts. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570188: PKINIT client > has no configured identity; giving up > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570189: Preauth module > pkinit (16) (real) returned: -1765328360/Preauthentication failed > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570190: PKINIT client > ignoring draft 9 offer from RFC 4556 KDC > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570191: Preauth module > pkinit (15) (real) returned: -1765328360/Preauthentication failed > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570192: PKINIT client > ignoring draft 9 offer from RFC 4556 KDC > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570193: Preauth module > pkinit (14) (real) returned: -1765328360/Preauthentication failed > > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] > (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] > EINVAL. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] > (0x4000): Prompt [0][Password for user@DOMAIN]. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] [sss_krb5_prompter] > (0x0020): Cannot handle password prompts. > (Fri Dec 7 17:27:18 2018) [[sssd[krb5_child[19899]]]] > [sss_child_krb5_trace_cb] (0x4000): [19899] 1544200038.570194: Preauth module > encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password > > (Fri Dec 7 17:27:19 2018) [[sssd[krb5_child[19899]]]] [get_and_save_tgt] > (0x0400): krb5_get_init_creds_password returned [-1765328174] during pre-auth. > (Fri Dec 7 17:27:19 2018) [[sssd[krb5_child[19899]]]] [k5c_send_data] > (0x0200): Received error code 0 > (Fri Dec 7 17:27:19 2018) [[sssd[krb5_child[19899]]]] [pack_response_packet] > (0x2000): response packet size: [12] > (Fri Dec 7 17:27:19 2018) [[sssd[krb5_child[19899]]]] [k5c_send_data] > (0x4000): Response sent. > (Fri Dec 7 17:27:19 2018) [[sssd[krb5_child[19899]]]] [main] (0x0400): > krb5_child completed successfully > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [main] (0x0400): > krb5_child started. > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [unpack_buffer] > (0x1000): total buffer size: [154] > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [unpack_buffer] > (0x0100): cmd [241] uid [3034] gid [3001] validate [false] enterprise > principal [false] offline [false] UPN [user@DOMAIN] > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [unpack_buffer] > (0x0100): ccname: [FILE:/tmp/krb5cc_3034_XXXXXX] old_ccname: > [FILE:/tmp/krb5cc_3034_XXXXXX] keytab: [/etc/krb5.keytab] > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [check_use_fast] > (0x0100): Not using FAST. > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [old_ccache_valid] > (0x0400): Saved ccache FILE:/tmp/krb5cc_3034_XXXXXX doesn't exist, ignoring > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [k5c_check_old_ccache] > (0x4000): Ccache_file is [FILE:/tmp/krb5cc_3034_XXXXXX] and is not active and > TGT is not valid. > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [k5c_precreate_ccache] > (0x4000): Recreating ccache > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] > [privileged_krb5_setup] (0x0080): Cannot open the PAC responder socket > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [become_user] > (0x0200): Trying to become user [3034][3001]. > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [main] (0x2000): > Running as [3034][3001]. > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [become_user] > (0x0200): Trying to become user [3034][3001]. > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [become_user] > (0x0200): Already user [3034]. > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [k5c_setup] (0x2000): > Running as [3034][3001]. > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [set_lifetime_options] > (0x0100): No specific renewable lifetime requested. > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [set_lifetime_options] > (0x0100): No specific lifetime requested. > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] > [set_canonicalize_option] (0x0100): Canonicalization is set to [false] > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [main] (0x0400): Will > perform online auth > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [tgt_req_child] > (0x1000): Attempting to get a TGT > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [get_and_save_tgt] > (0x0400): Attempting kinit for realm [DOMAIN] > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663098: Getting > initial credentials for user@DOMAIN > > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663100: Sending > unauthenticated request > > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663101: Sending > request (174 bytes) to DOMAIN > > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663102: Sending > initial UDP request to dgram 10.36.125.234:88 > > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663103: Received > answer (364 bytes) from dgram 10.36.125.234:88 > > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663104: Response was > from master KDC > > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663105: Received error > from KDC: -1765328359/Additional pre-authentication required > > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663108: > Preauthenticating using KDC method data > > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663109: Processing > preauth types: 16, 15, 14, 136, 19, 147, 2, 133 > > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663110: Selected etype > info: etype aes256-cts, salt "DOMAINuser", params "" > > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663111: Received > cookie: MIT > > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_responder] > (0x4000): Got question [pkinit]. > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [answer_pkinit] > (0x4000): [0] Identity > [PKCS11:module_name=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so:slotid=0:token=PIV > Card Holder pin (PIV_II)] flags [0]. > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [answer_pkinit] > (0x4000): Setting pkinit_prompting. > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [answer_pkinit] > (0x4000): cmd = 241 > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] [answer_pkinit] > (0x4000): authtok = 1 > (Fri Dec 7 17:27:23 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200043.663112: Preauth module > pkinit (147) (info) returned: 0/Success > > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] > (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] > EINVAL. > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] > (0x4000): Prompt [0][PIV Card Holder pin (PIV_II) PIN]. > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] > (0x0020): Cannot handle password prompts. > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136917: PKINIT client > has no configured identity; giving up > > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136918: Preauth module > pkinit (16) (real) returned: -1765328360/Preauthentication failed > > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136919: PKINIT client > ignoring draft 9 offer from RFC 4556 KDC > > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136920: Preauth module > pkinit (15) (real) returned: -1765328360/Preauthentication failed > > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136921: PKINIT client > ignoring draft 9 offer from RFC 4556 KDC > > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136922: Preauth module > pkinit (14) (real) returned: -1765328360/Preauthentication failed > > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] > (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] > EINVAL. > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] > (0x4000): Prompt [0][Password for user@DOMAIN]. > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [sss_krb5_prompter] > (0x0020): Cannot handle password prompts. > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] > [sss_child_krb5_trace_cb] (0x4000): [19902] 1544200044.136923: Preauth module > encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password > > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [get_and_save_tgt] > (0x0020): 1702: [-1765328174][Pre-authentication failed: Preauthentication > failed] > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [map_krb5_error] > (0x0020): 1815: [-1765328174][Pre-authentication failed: Preauthentication > failed] > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [k5c_send_data] > (0x0200): Received error code 1432158221 > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [pack_response_packet] > (0x2000): response packet size: [4] > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [k5c_send_data] > (0x4000): Response sent. > (Fri Dec 7 17:27:24 2018) [[sssd[krb5_child[19902]]]] [main] (0x0400): > krb5_child completed successfully > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org