search

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.
https://sssd.io
GNU General Public License v3.0
588 stars 237 forks source link

krb5 child error: Prompter interface isn't used for password prompts by SSSD. #7025

Closed briantownjr closed 10 months ago

briantownjr commented 10 months ago

System = Rocky Linux 8 running default GNOME desktop sssd pcsc-lite opensc krb5-workstation and other packages in order to join system to Windows AD domain Windows AD server = 2019 fully updated Using same configuration setup that works on Ubuntu 20.04

krb5.conf

[libdefaults]
default_realm = EXAMPLE.COM
pkinit_kdc_hostname = example.com
pkinit_anchors = FILE:/etc/sssd/pki/sssd_auth_ca_db.pem
pkinit_pool = FILE:/etc/sssd/pki/sssd_auth_ca_db.pem
pkinit_identities = PKCS11:opensc-pkcs11.so:slotid=0:certid=01
default_ccache_name = KEYRING:persistent:%{uid}
canonicalize = True

sssd.conf

[sssd]
domains = example.com
config_file_version = 2
services = nss, pam, ssh, sudo
certificate_verification = no_ocsp
debug_level = 10

[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
debug_level = 10
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_certificate = altSecurityIdentities
krb5_validate = true
krb5_ccachedir = /var/tmp
krb5_keytab = /etc/krb5.keytab

[pam]
debug_level = 10
p11_child_timeout = 400
pam_cert_db_path = /etc/sssd/pki/sssd_auth_ca_db.pem
pam_cert_auth = True

[certmap/rst.gsfc.nasa.gov/pancakes]
maprule = (|(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500})(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))

/etc/sssd/pki/sssd_auth_ca_db.pem has all certs associated to smartcard as well as KDC cert

Smartcard shows up on system

Logging in via terminal a kinit btown@example.com prompts for PIN and then gives me a ticket Logged in via console (Vmwork workstation with a terminal open) I enter a PIN and then get dropped to having to enter Password

One error during testing I found in the krb5_child.log:

(2023-11-08 20:50:17): [krb5_child[13914]] [sss_child_krb5_trace_cb] (0x4000): [RID#71] [13914] 1699505417.926503: Preauth module pkinit (16) (real) returned: -1765328360/Preauthentication fa
iled

(2023-11-08 20:50:17): [krb5_child[13914]] [sss_krb5_prompter] (0x4000): [RID#71] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(2023-11-08 20:50:17): [krb5_child[13914]] [sss_krb5_prompter] (0x4000): [RID#71] Prompt [0][Password for btown\@EXAMPLE.COM@EXAMPLE.COM].
(2023-11-08 20:50:17): [krb5_child[13914]] [sss_krb5_prompter] (0x0200): [RID#71] Prompter interface isn't used for password prompts by SSSD.

Setting /etc/pam.d/sudo with auth sufficient pam_sss.so require_cert_auth

When running a sudo command I get

Please Enter a Smartcard

Followed immediately twice by

Please (re)insert a Different Smartcard Please (re)insert a Different Smartcard

briantownjr commented 10 months ago

Log output from a gdm login attempt:

pam.log

(2023-11-09 17:35:41): [pam] [sss_dp_get_account_send] (0x0400): [CID#4] Creating request for [example.com][0x3][BE_REQ_INITGROUPS][name=radmin@example.com:-]
(2023-11-09 17:35:41): [pam] [sbus_dispatch] (0x4000): Dispatching.
(2023-11-09 17:35:41): [pam] [sss_domain_get_state] (0x1000): [CID#4] Domain example.com is Active
(2023-11-09 17:35:41): [pam] [cache_req_search_cache] (0x0400): [CID#4] CR #6: Looking up [radmin@example.com] in cache
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Added timed event "ldb_kv_callback": 0x56069f4d3960

(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Added timed event "ldb_kv_timeout": 0x56069f4d3a30

(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Running timer event 0x56069f4d3960 "ldb_kv_callback"

(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Destroying timer event 0x56069f4d3a30 "ldb_kv_timeout"

(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Destroying timer event 0x56069f4d3960 "ldb_kv_callback"

(2023-11-09 17:35:41): [pam] [cache_req_search_cache] (0x0400): [CID#4] CR #6: Object [radmin@example.com] was not found in cache
(2023-11-09 17:35:41): [pam] [cache_req_search_ncache_add_to_domain] (0x0400): [CID#4] CR #6: Adding [radmin@example.com] to negative cache
(2023-11-09 17:35:41): [pam] [is_user_local_by_name] (0x0400): [CID#4] User radmin@example.com is a local user
(2023-11-09 17:35:41): [pam] [sss_ncache_set_str] (0x0400): [CID#4] Adding [NCE/USER/example.com/radmin@example.com] to negative cache
(2023-11-09 17:35:41): [pam] [cache_req_global_ncache_add] (0x2000): [CID#4] CR #6: This request type does not support global negative cache
(2023-11-09 17:35:41): [pam] [cache_req_process_result] (0x0400): [CID#4] CR #6: Finished: Not found
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Added timed event "ldb_kv_callback": 0x56069f4d3890

(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Added timed event "ldb_kv_timeout": 0x56069f4d3a30

(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Running timer event 0x56069f4d3890 "ldb_kv_callback"

(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Destroying timer event 0x56069f4d3a30 "ldb_kv_timeout"

(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Destroying timer event 0x56069f4d3890 "ldb_kv_callback"

(2023-11-09 17:35:41): [pam] [pam_reply] (0x4000): [CID#4] pam_reply initially called with result [10]: User not known to the underlying authentication module. this result might be changed dur
ing processing
(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Added timed event "ldb_kv_callback": 0x56069f4d3890

(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Added timed event "ldb_kv_timeout": 0x56069f4d3960

(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Running timer event 0x56069f4d3890 "ldb_kv_callback"

(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Destroying timer event 0x56069f4d3960 "ldb_kv_timeout"

(2023-11-09 17:35:41): [pam] [ldb] (0x10000): [CID#4] Destroying timer event 0x56069f4d3890 "ldb_kv_callback"

Not sure why it's getting this: (2023-11-09 16:45:25): [pam] [pam_reply] (0x0200): [CID#1] Returning [10]: User not known to the underlying authentication module to the client

As the user can be looked up via id id btown reports back user information

nsswitch.conf

passwd:     files sss systemd
group:      files sss systemd
netgroup:   sss files
automount:  sss files
services:   sss files

p11_child.log

(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] common name: [p11-kit-trust].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] dll name: [/usr/lib64/pkcs11/p11-kit-trust.so].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] Description [/etc/pki/ca-trust/source] Manufacturer [PKCS#11 Kit] flags [1] removable [false] token present [true].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] Description [/usr/share/pki/ca-trust-source] Manufacturer [PKCS#11 Kit] flags [1] removable [false] token present [true].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] common name: [opensc].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] Description [VMware Virtual USB CCID 00 00] Manufacturer [VMware] flags [7] removable [true] token present [true].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] Token label [PIV_II].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] Found [PIV_II] in slot [VMware Virtual USB CCID 00 00][0] of module [1][/usr/lib64/pkcs11/opensc-pkcs11.so].
(2023-11-09 17:35:14): [p11_child[2373]] [do_card] (0x4000): [CID#3] Login NOT required.
(2023-11-09 17:35:14): [p11_child[2373]] [read_certs] (0x4000): [CID#3] found cert[Certificate for PIV Authentication][/ISSUER/UID=btown/CN=Brian Town (affiliate)]

The cert contains UID=btown which should be mapping back to my AD. However GDM seems to autologin when the smartcard is plugged in to GDM at least, so it seems it's trying to grab info off the card instead of letting me supply the username I am logging in as and just doing the mapping

sumit-bose commented 10 months ago

Hi,

would it be possible to attach the full log files?

bye, Sumit

alexey-tikhonov commented 10 months ago

And please also mention what SSSD version are you using.

briantownjr commented 10 months ago

Here you are: sssd-2.8.2-3.el8_8.x86_64 pcsc-lite-1.9.5-1.el8.x86_64 krb5-workstation-1.18.2-25.el8_8.x86_64 opensc-0.20.0-4.el8.x86_64 gdm-40.0-27.el8.x86_64

Last attempt at GDM login with same issue was 01:44 timeframe

p11_child.log sssd.log sssd_example.com.log sssd_ifp.log sssd_kcm.log sssd_nss.log sssd_pac.log sssd_pam.log sssd_ssh.log sssd_sudo.log

sumit-bose commented 10 months ago

Hi,

it looks like your mapping rule is not use because the domain part in the section header [certmap/rst.gsfc.nasa.gov/pancakes] must match the domain name in sssd.conf, so [certmap/example.com/pancakes]. Additionally please remove ldap_user_certificate = altSecurityIdentities from sssd.conf, this break the default lookup for certificates where the whole certificate is used.

HTH

bye, Sumit

briantownjr commented 10 months ago

Hi,

it looks like your mapping rule is not use because the domain part in the section header [certmap/rst.gsfc.nasa.gov/pancakes] must match the domain name in sssd.conf, so [certmap/example.com/pancakes]. Additionally please remove ldap_user_certificate = altSecurityIdentities from sssd.conf, this break the default lookup for certificates where the whole certificate is used.

HTH

bye, Sumit

Sorry forgot to come back here, I noticed that as well after putting in a ticket with Redhat. There's still an issue when you run "authselect select sssd with-smartcard" where GDM seems to take over trying to figure out the username instead of letting you input it but this works fine with using pam_sss.so in the gdm-password pam configuration.

CLosing this out. Thanks for the help!

sumit-bose commented 10 months ago

Hi, it looks like your mapping rule is not use because the domain part in the section header [certmap/rst.gsfc.nasa.gov/pancakes] must match the domain name in sssd.conf, so [certmap/example.com/pancakes]. Additionally please remove ldap_user_certificate = altSecurityIdentities from sssd.conf, this break the default lookup for certificates where the whole certificate is used. HTH bye, Sumit

Sorry forgot to come back here, I noticed that as well after putting in a ticket with Redhat. There's still an issue when you run "authselect select sssd with-smartcard" where GDM seems to take over trying to figure out the username instead of letting you input it but this works fine with using pam_sss.so in the gdm-password pam configuration.

Hi,

thanks for the update. Yes, this is a feature of GDM which is switched on by authselect by default. If you do not like it, you can disable it in GDM's dconf by setting enable-smartcard-authentication to false in the [org/gnome/login-screen] dconf section.

bye, Sumit

CLosing this out. Thanks for the help!