Hi. I am able to reproduce this problem on Fedora 32 (sssd-2.2.3-20), however I am not able to reproduce this on CentOS 8 (sssd-2.3.1-2). This suggests the problem was introduced somewhere between sssd 2.2.3 and 2.3.1.
Config on both systems is the same - machines added to IPA domain, user account has both cert configured for PKINIT and OTP. Attempting to log in on CentOS 8 displays prompt for Smart Card PIN, attempting to log in on Fedora 32 displays prompt for OTP factors. I've tried to analyze the problem and it seems that sss_krb5_prompter always tries otp on Fedora, even though p11_child finishes successfully and returns the correct user certificate. On CentOS 8: (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit. (...) (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143791: Upgrading to FAST due to presence of PA_FX_FAST in reply (...) (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143815: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-P K-AS-REQ_OLD (14), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-FX-COOKIE (133), PA-FX-ERROR (137) (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143816: Received cookie: MIT (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_krb5_responder] (0x4000): Got question [pkinit]. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [answer_pkinit] (0x4000): [0] Identity [PKCS11:module_name=/usr/lib64/pkcs11/opensc-pkcs11.so:slotid=0:token=rkujawa] flags [0]. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [answer_pkinit] (0x4000): Setting pkinit_prompting. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_child_krb5_trace_cb] (0x4000): [2185] 1599679459.143817: Preauth module pkinit (147) (info) returned: 0/Success (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_krb5_prompter] (0x4000): Prompt [0][rkujawa PIN]. (Wed Sep 9 21:24:19 2020) [[sssd[krb5_child[2185]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts. On Fedora 32: (2020-09-09 21:18:16): [krb5_child[1823]] [get_and_save_tgt] (0x4000): Found Smartcard credentials, trying pkinit. (...) (2020-09-09 21:18:16): [krb5_child[1823]] [sss_child_krb5_trace_cb] (0x4000): [1823] 1599679096.050398: Upgrading to FAST due to presence of PA_FX_FAST in reply (...) (2020-09-09 21:18:16): [krb5_child[1823]] [sss_child_krb5_trace_cb] (0x4000): [1823] 1599679096.050422: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-FX-COOKIE (133), PA-FX-ERROR (137) (2020-09-09 21:18:16): [krb5_child[1823]] [sss_child_krb5_trace_cb] (0x4000): [1823] 1599679096.050423: Received cookie: MIT (2020-09-09 21:18:16): [krb5_child[1823]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Vendor [(null)]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Token-ID [(null)]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Challenge [(null)]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x4000): [0] Flags [1]. (2020-09-09 21:18:16): [krb5_child[1823]] [answer_otp] (0x2000): Exit answer_otp during pre-auth. (2020-09-09 21:18:16): [krb5_child[1823]] [get_and_save_tgt] (0x0400): krb5_get_init_creds_password returned [11] during pre-auth. (2020-09-09 21:18:16): [krb5_child[1823]] [k5c_send_data] (0x0200): Received error code 0 (2020-09-09 21:18:16): [krb5_child[1823]] [pack_response_packet] (0x2000): response packet size: [15] (2020-09-09 21:18:16): [krb5_child[1823]] [k5c_send_data] (0x4000): Response sent. (2020-09-09 21:18:16): [krb5_child[1823]] [main] (0x0400): krb5_child completed successfully This results in PIN never being asked on Fedora. Unfortunately at this moment I am not able to deliver full logs. Hopefully Jan will send full logs from his setup ;). Best regards, Radoslaw
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
