[SSSD-users] Re: [non-nasa source] Re: [EXTERNAL] Re: Fedora 30 and 31 instant fail at gdm login greeter PIN prompt

Fri, 01 Nov 2019 06:45:38 -0700 


________________________________________
From: Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC] 
<[email protected]>
Sent: Friday, November 1, 2019 9:17 AM
To: [email protected]
Subject: [non-nasa source] [SSSD-users] Re: [EXTERNAL]  Re: Fedora 30 and 31 
instant fail at gdm login greeter PIN prompt



________________________________________
From: Sumit Bose <[email protected]>
Sent: Friday, November 1, 2019 8:12 AM
To: [email protected]
Subject: [EXTERNAL] [SSSD-users] Re: Fedora 30 and 31 instant fail at gdm login 
greeter PIN prompt

On Thu, Oct 31, 2019 at 04:38:23PM +0000, Zynda, Bradley V. (GSFC-423.0)[ADNET 
SYSTEMS INC] wrote:
> Hello,
>
> pam.d/system-auth
>
> auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] 
> pam_sss.so try_cert_auth
>
> pam.d/smartcard-auth
>
> auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so 
> uid >= 1000 quiet
> auth        sufficient                                   pam_sss.so 
> ignore_authinfo_unavail require_cert_auth
> auth        required                                     pam_deny.so
>
> account     required                                     pam_unix.so
> account     sufficient                                   pam_localuser.so
> account     sufficient                                   pam_succeed_if.so 
> uid < 1000 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     required                                     pam_permit.so
>
> session     optional                                     pam_keyinit.so revoke
> session     required                                     pam_limits.so
> -session     optional                                    pam_systemd.so
> session     [success=1 default=ignore]                   pam_succeed_if.so 
> service in crond quiet use_uid
> session     required                                     pam_unix.so
> session     optional                                     pam_sss.so
>
>
> etc/sssd/sssd.conf
> [sssd]
> services = nss, pam
> domains = files
>
> [nss]
>
> [pam]
> pam_cert_auth = True
> pam_cert_db_path = /etc/sssd/pki/<cert>.pem
> debug_level = 4
>
> [domain/files]
> id_provider = files
>
> [certmap/files/<user>]
> matchrule = <EKU>msScLogin<SUBJECT>^.*,UID=<user>,.*$
>
>
> gdm.d/greeter-login
> enable-smartcard-authentication=true
> enable-fingerprint-authentication=false
> enable-password-authentication=false
>
>
> Reboot and get Card PIN user prompt gdm-login-greeter -> add username and 
> click next
>
> Get Prompted for PIN but after a second it just fails and goes back to asking 
> for username.
>
> Has anyone run into this behaviour, suggestions, fix?

Hi,

does it work with other services than gdm, like e.g. the console login
or su?

Hi Sumit, yes it works with other services and logging into PIV websites

Can you send the SSSD debug logs? You currently have 'debug_level = 4'
in the [pam] section. This might help for a start but it might help to
avoid some round-trips if you can set 'debug_level = 9' to the [pam] and
[domain/files] section, restart SSSD and run the login test again before
sending the logs.

On debug=4 the logs just repeat this:

(Fri Nov  1 08:54:50:113927 2019) [sssd] [confdb_ldif_from_ini_file] (0x0020): 
Permission check on config file failed.
(Fri Nov  1 08:54:50:113983 2019) [sssd] [confdb_init_db] (0x0020): Cannot 
convert INI to LDIF [1]: [Operation not permitted]
(Fri Nov  1 08:54:50:113994 2019) [sssd] [confdb_setup] (0x0010): ConfDB 
initialization has failed [1]: Operation not permitted
(Fri Nov  1 08:54:50:114015 2019) [sssd] [load_configuration] (0x0010): Unable 
to setup ConfDB [1]: Operation not permitted
(Fri Nov  1 08:54:50:114024 2019) [sssd] [main] (0x0020): Cannot read config 
file /etc/sssd/sssd.conf. Please check that the file is accessible only by the 
owner and owned by root.root.

-rw-r--r--. 1 root root 343 Oct 31 11:16 /etc/sssd/sssd.conf

made it 640 instead <- guessing that is correct

Will set debug=9 and retest

Hi Sumit retested with debug 9 and still the same errors in var/log:

(Fri Nov  1 09:28:20:676656 2019) [sssd] [confdb_ldif_from_ini_file] (0x0020): 
Permission check on config file failed.
(Fri Nov  1 09:28:20:676713 2019) [sssd] [confdb_init_db] (0x0020): Cannot 
convert INI to LDIF [1]: [Operation not permitted]
(Fri Nov  1 09:28:20:676724 2019) [sssd] [confdb_setup] (0x0010): ConfDB 
initialization has failed [1]: Operation not permitted
(Fri Nov  1 09:28:20:676746 2019) [sssd] [load_configuration] (0x0010): Unable 
to setup ConfDB [1]: Operation not permitted
(Fri Nov  1 09:28:20:676757 2019) [sssd] [main] (0x0020): Cannot read config 
file /etc/sssd/sssd.conf. Please check that the file is accessible only by the 
owner and owned by root.

and the other logs have a similar entry:

(Thu Oct 31 11:29:26 2019) [sssd[be[implicit_files]]] [orderly_shutdown] 
(0x0010): SIGTERM: killing children

Installed Packages
sssd.x86_64                        2.2.2-1.fc31                        @anaconda

-rw-r-----. 1 root root 343 Nov  1 09:20 /etc/sssd/sssd.conf

I also verified I do not get prompted for PIN at TTY(fn+f2) for sudo or su, 
just password.

Thanks,
Brad



bye.
Sumit

>
> Seems to be a reoccurring issue I have seen in +F28, +CentOS7 and +RHEL7 
> basically anything with obsolete coolkey  pkcs11 authconfig.
>
> Thanks,
> Brad
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=-FUI3r0e0wQ0tL18ia_a3kv8FTiOwDeg-mJtd11gLgk&e=
> List Guidelines: 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=ZwRja4O1CGlcmPN83-KMLZX1Oitn-1iW_bzzxc6EjJk&e=
> List Archives: 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_sssd-2Dusers-40lists.fedorahosted.org&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=Tiqmt5yDzJvro-PMRlpW5tcbBt597ePq__OfL9PbRWQ&e=
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=-FUI3r0e0wQ0tL18ia_a3kv8FTiOwDeg-mJtd11gLgk&e=
List Guidelines: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=ZwRja4O1CGlcmPN83-KMLZX1Oitn-1iW_bzzxc6EjJk&e=
List Archives: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_sssd-2Dusers-40lists.fedorahosted.org&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=SHkcEhhNSYzWg0ZdYyej-6racnAiBIx3xyRFIhX-xlA&s=Tiqmt5yDzJvro-PMRlpW5tcbBt597ePq__OfL9PbRWQ&e=
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=HzEYUQQ-BtsowolHGTB57AFTpLUJilewWUyCPlMynUM&s=1PgRth9rEVTB8efdAXmBMth6NZx9c6uKpDhils6KGzo&e=
List Guidelines: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=HzEYUQQ-BtsowolHGTB57AFTpLUJilewWUyCPlMynUM&s=w5apbqgagiRAvE2MqNxqqovwHl5w8N3U3Y6CuwnjdWU&e=
List Archives: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_sssd-2Dusers-40lists.fedorahosted.org&d=DwIGaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=fdpjFOxiMCMp-y3vo7z7JUA9YdTgrS2RUK-LJ49taQg&m=HzEYUQQ-BtsowolHGTB57AFTpLUJilewWUyCPlMynUM&s=qAGRcgSNENBXXUqodsgCcBabx-f4UbIuhXq-Vv4o33M&e=
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
  • [SSSD-users] Fedora 30 a... Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC]
    • [SSSD-users] Re: Fe... Sumit Bose
      • [SSSD-users] Re... Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC]
        • [SSSD-users... Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC]
          • [SSSD-u... Sumit Bose
            • [S... Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC]
              • ... Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC]
                • ... Sumit Bose
                • ... Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC]
                • ... Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC]
                • ... Sumit Bose
                • ... Zynda, Bradley V. (GSFC-423.0)[ADNET SYSTEMS INC]
                • ... Sumit Bose

Reply via email to