[Freeipa-users] Issue with Login PIN Prompting with SSSD and krb5_child.

[r0 nam1 via FreeIPA-users]

Apologies for my previous thread mess, I've learned to keep it neat.

In following my previous thread 
(https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/FYZFFHQ573REKTXHJK5DZU3RET76X7LA/)
 

I've discovered what I believe to be the issue when trying to login with 
Smartcards. When running kinit already logged in it can prompt for a pin and 
successfully use that data to verify the certificate. Then when trying to login 
from tty1 with pam_sss.so require_cert_auth present, the krb5 child attempts to 
kinit:
'''
DEBUG(SSSDBG_TRACE_FUNC,
          "Attempting kinit for realm [%s]\n",realm_name);
    kerr = kr->krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
                                            password_or_responder(password),
                                            sss_krb5_prompter, kr, 0, NULL,
                                            kr->options);
    if (kr->pd->cmd == SSS_PAM_PREAUTH && kerr != KRB5KDC_ERR_KEY_EXP) {
        /* Any errors except KRB5KDC_ERR_KEY_EXP are ignored during pre-auth,
         * only data is collected to be send back to the client.
         * KRB5KDC_ERR_KEY_EXP must be handled separately to figure out the
         * possible authentication methods to update the password. */
        DEBUG(SSSDBG_TRACE_FUNC,
              "krb5_get_init_creds_password returned [%d] during pre-auth.\n",
              kerr);
        return 0;
    } else {
        if (kerr != 0) {
            KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
'''
https://github.com/SSSD/sssd/blob/master/src/providers/krb5/krb5_child.c

Looking at the source code for the process I've come to the conslusion that for 
SOME REASON, the kinit pin prompt fails after entering my Username, Password, 
then prompting for a smartcard.
It seems like p11_child sees the smartcard inserted, lets the krb5_child run, 
and somehow fails when prompting for a pin. Even though the child 'fails' the 
login is never denied with any smartcard, one just needs to be present, the 
side effect of this is that a Kerberos ticket is never granted, but the Login 
does succeed.

Unfortunately that's everything I've been able to find, anyone able to help 
with the info I've provided?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue