So, if I didn't get it wrong, if we'd just use /etc/ssl/certs/ca-
certificates.crt as the SSSD pam certificate in such case would work?
I mean having this in /etc/sssd/sssd.conf
[pam]
pam_cert_db_path = /etc/ssl/certs/ca-certificates.crt
And then what was into /etc/sssd/pki/sssd_auth_ca_db.pem to be added to
.crt's under /usr/local/share/ca-certificates/sssd_auth_ca_db/ and
eventually calling update-ca-certificates maybe?
We could even do the other way around probably, by adding an hook to
/etc/ca-certificates/update.d/ so that we ensure that /etc/ssl/certs/ca-
certificates.crt is always in sync with the system ring?
As Robie said, we could revert this change but this would not be ideal for
various reasons IMHO:
1. As you said this is going to be used more and more, and so we'll have to
end up to keep supporting
a growing number of systems with an outdated method that is going to be
dropped in future
(i.e. better to do it now that its usage is limited than having to do it in
future when the audience
is bigger)
2. We would like to have a single documented method to have smartcard auth in
ubuntu using SSSD that can
be validated from 20.04 onward and that keep working in future LTSs (and
for sure next LTS will have to drop
NSS anyways, so it's just about delaying a problem making it bigger).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1919563
Title:
updated sssd with smart cards now brick systems without full cert
chain
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
