** Description changed: [Impact] Hello one of our customer wanted to use smartcard as a authentication device in sssd & windows AD environment. But they can't do it because of apparmor DENIED. In the beginning they only mentioned /etc/sssd/pki/ and /etc/sssd/pki/** r, also doc [1] mentioned the guide. so I only mentioned it here. After that, the customer added contents more they faced apparmor DENIED. Then I thought I needed a reproducer about this. so I ordered Yubikey 5 NFC which supports the PIV Smart Card. and tried to reproduce this with Fabio's reproducer. Then I can reproduce this. But the symptom the customer encountered and I saw is a little bit different. so I would like to ask you to have a discussion further. Please refer to Test Case section. [1] https://manpages.ubuntu.com/manpages/noble/man5/sssd.conf.5.html [Test Case] - 1. Deploy Windows Server and enable AD - 2. refered to this. - - https://pastebin.canonical.com/p/tqNZ2435yC/ + * Windows + 1. Deploy Windows Server and enable AD & CA + 2. Create User Seyeong + + * Ubuntu + 0. You need PIV auth support smartcard + 1. sudo add-apt-repository ppa:yubico/stable && sudo apt-get update + sudo apt install libpam-sss opensc-pkcs11 pcscd libpam-pkcs11 sssd opensc sssd-dbus sssd-tools sssd-ad realmd adcli libpam-sss opensc-pkcs11 pcscd libpam-pkcs11 sssd opensc sssd-dbus sssd-tools yubico-piv-tool libengine-pkcs11-openssl libp11-3 opensc libssl-dev yubikey-manager ykcs11 -y + + 2. # later than Oracular + sudo apt install krb5-pkinit -y + + 3. make sure dns is working + + 4. check realm + - sudo realm -v discover WIN-E7RF5O29H6J.seyeong.kim + - sudo realm -v join WIN-E7RF5O29H6J.seyeong.kim + + 5. create CSR with smartcard ( create openssl.cnf with keyUsage, extendedKeyUsage, subjectAltName with UPN ) + ykman piv reset -f + yubico-piv-tool -a generate -s 9a -A RSA2048 + export PKCS11_MODULE_PATH=/usr/lib/x86_64-linux-gnu/libykcs11.so + openssl req -engine pkcs11 -keyform engine -new -key "pkcs11:object=Private key for PIV Authentication;type=private;pin-value=123456" -config openssl.cnf -reqexts v3_req -out seyeongkim.csr -multivalue-rdn + cat seyeongkim.csr + + * Windows + 1. copy the CSR to Windows and approve it. then download it + + * Ubuntu + 1. convert der to pem + - openssl x509 -in seyeongkim.der -out seyeongkimissued.pem -outform pem + + 2. import cert to smartcard + yubico-piv-tool -a import-certificate -s 9a -i seyeongkimissued.pem + + 3. check if it is the same. + pkcs15-tool --read-certificate 1 > card-cert.pem + openssl x509 -text -noout -in card-cert.pem + + 4. convert ca cert der to pem. + openssl x509 -in certnew.der -out cacert.crt -outform pem + + 5. setup ca cert in Ubuntu + sudo rm /usr/local/share/ca-certificates/cacert.crt + sudo rm /etc/ssl/certs/cacert.pem + sudo cp cacert.crt /usr/local/share/ca-certificates/ + sudo update-ca-certificates + + 6. setup cert for sssd + mkdir -p /etc/sssd/pki/ + sudo rm /etc/sssd/pki/sssd_auth_ca_db.pem + sudo touch /etc/sssd/pki/sssd_auth_ca_db.pem + cat cacert.crt | sudo tee -a /etc/sssd/pki/sssd_auth_ca_db.pem + + 7. verification for setup + openssl verify -verbose card-cert.pem + openssl verify -verbose -CAfile /etc/sssd/pki/sssd_auth_ca_db.pem card-cert.pem + + systemctl restart sssd + + sudo dbus-send --system --print-reply + --dest=org.freedesktop.sssd.infopipe + /org/freedesktop/sssd/infopipe/Users + org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat + card-cert.pem)" uint32:10 + + 8. use enforce mode for apparmor + + 9. setup sssd, krb5, pam + - for sssd, setup it to support smartcard. matching by cert CN + - for krb5, add AD info + - for pam, add "auth ... pam_sss.so try_cert_auth" for sssd checking + + 10. check the syslog First, I got DENIED like belows.( /etc/sssd/pki/ and /etc/sssd/pki/** r not included but it affects) Jun 1 23:27:52 seyeongkim kernel: [ 424.733567] audit: type=1400 audit(1748820472.096:99): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/proc/12852/cmdline" pid=858 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:04 seyeongkim kernel: [ 437.104690] audit: type=1400 audit(1748820484.468:100): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:04 seyeongkim sssd[12855]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release Jun 1 23:28:04 seyeongkim kernel: [ 437.106850] audit: type=1400 audit(1748820484.472:101): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:17 seyeongkim sssd[12856]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release Jun 1 23:28:17 seyeongkim kernel: [ 449.783639] audit: type=1400 audit(1748820497.148:102): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:17 seyeongkim kernel: [ 449.784694] audit: type=1400 audit(1748820497.148:103): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 then I added them to apparmor profile /etc/sssd/pki/ r, /etc/sssd/pki/** r, @{PROC}/[0-9]*/cmdline r, /usr/share/p11-kit/modules/ r, /usr/share/p11-kit/modules/** r, /etc/ssl/openssl.cnf r, But I encountered the other DENIEDs ( I could use auth with smartcard this point ) Jun 1 23:57:42 seyeongkim kernel: [ 2215.357322] audit: type=1400 audit(1748822262.770:188): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.357860] audit: type=1400 audit(1748822262.770:189): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.359017] audit: type=1400 audit(1748822262.770:190): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/opensc/opensc.conf" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.363484] audit: type=1400 audit(1748822262.774:191): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.363606] audit: type=1400 audit(1748822262.774:192): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 /run/pcscd/* wr, /etc/machine-id r, /etc/opensc/opensc.conf r, With recent test, I collected net_admin DENIED which is the customer reported as well. Jun 23 04:02:18 jammy kernel: [ 5192.259462] audit: type=1400 audit(1750651338.792:71): apparmor="DENIED" operation="capable" profile="/usr/sbin/sssd" pid=1780 comm="krb5_child" capability=12 capname="net_admin" For me, above was the reproducer but the customer mentioned that they need to add belows by testing. capability net_admin, /etc/sssd/pki/ r, /etc/sssd/pki/** r, /usr/share/p11-kit/modules/ r, /usr/share/p11-kit/modules/* r, /run/pcscd/* wr, /etc/machine-id r, /etc/opensc/opensc.conf r, - [Where problems could occur] TBD [Others]
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2109673 Title: Authentication with smartcard is not working with apparmor DENIED To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2109673/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
