There was a problem with obtaining the script generated by ipa-advise command. Admin password for obtaining Kerberos ticket was passed in the wrong way, so there was an error, and the script was not generated, so the final file didn't contain any code to execute. This causes file /etc/sssd/pki/sssd_auth_ca_db.pem (this file has to be updated in the obtained script) does not contain IPA CA certificate or does not exist at all after prepare command is finished. As file /etc/sssd/pki/sssd_auth_ca_db.pem is essential for smart card authentication due to certificates storied in it, smart card login was failing.
What is updated:
Size of the final file is checked based on the return value of os.stat(file), not based on empty contact (file.read() return an empty string)
ssh stdout is not read before password with trialing new line (\n) symbol is passed to the ssh stdin
There was a problem with obtaining the script generated by ipa-advise command. Admin password for obtaining Kerberos ticket was passed in the wrong way, so there was an error, and the script was not generated, so the final file didn't contain any code to execute. This causes file
/etc/sssd/pki/sssd_auth_ca_db.pem
(this file has to be updated in the obtained script) does not contain IPA CA certificate or does not exist at all after prepare command is finished. As file/etc/sssd/pki/sssd_auth_ca_db.pem
is essential for smart card authentication due to certificates storied in it, smart card login was failing.What is updated: