e) Okay. I ported sssd-smart-card-pam-auth-configs-tester.sh and sssd-
softhism2-certificates-tests.sh from noble, along with d/t/control to
the jammy package, and ran the autopkgtests.
The debdiff is attached, and logs from the autopkgtest run are attached
too.
In short:
442s ldap-user-group-ldap-auth PASS
442s ldap-user-group-krb5-auth PASS
442s sssd-softhism2-certificates-tests.sh PASS
442s sssd-smart-card-pam-auth-configs FAIL non-zero exit status 2
442s qemu-system-x86_64: terminating on signal 15 from pid 34021
(/usr/bin/python3)
sssd-softhism2-certificates-tests.sh runs OK, but sssd-smart-card-pam-
auth-configs.sh fails.
437s + pam-auth-update --disable sss-smart-card-optional sss-smart-card-required
437s + for alternative in "${alternative_pam_configs[@]}"
437s + pam-auth-update --enable sss-smart-card-optional
437s + cat /etc/pam.d/common-auth
437s + runuser -u ubuntu -- pamtester -v login ubuntu authenticate
437s + echo -n -e 123456
437s #
437s # /etc/pam.d/common-auth - authentication settings common to all services
437s #
437s # This file is included from other service-specific PAM config files,
437s # and should contain a list of the authentication modules that define
437s # the central authentication scheme for use on the system
437s # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
437s # traditional Unix authentication mechanisms.
437s #
437s # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
437s # To take advantage of this, it is recommended that you configure any
437s # local modules either before or after the default block, and use
437s # pam-auth-update to manage selection of other modules. See
437s # pam-auth-update(8) for details.
437s
437s # here are the per-package modules (the "Primary" block)
437s auth [success=2 default=ignore] pam_unix.so nullok
437s auth [success=1 default=ignore] pam_sss.so use_first_pass
437s # here's the fallback if no module succeeds
437s auth requisite pam_deny.so
437s # prime the stack with a positive return value if there isn't one already;
437s # this avoids us returning an error just because nothing sets a success
code
437s # since the modules above will each just jump around
437s auth required pam_permit.so
437s # and here are more per-package modules (the "Additional" block)
437s auth optional pam_cap.so
437s # end of pam-auth-update config
437s pamtester: invoking pam_start(login, ubuntu, ...)
437s pamtester: performing operation - authenticate
440s Password: pamtester: Authentication failure
440s + return 2
440s + handle_exit
440s + exit_code=2
So, it would require additional work to fix up these testcases.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2081129
Title:
libpam-sss: require_cert_auth is not absolute, will fall back to
password auth on smartcard removal
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2081129/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
