** Description changed: [Impact] Hello One of our customers attempted to use a smartcard for authentication in an sssd & Windows AD environment, but encountered apparmor denials that prevented it from working properly. They use enforce mode for apparmor In the beginning they only mentioned /etc/sssd/pki/ and /etc/sssd/pki/** r, also doc [1] mentioned the guide. so I only mentioned it here. After that, the customer added contents more they faced apparmor DENIED. Then I thought I needed a reproducer about this. so I ordered Yubikey 5 NFC which supports the PIV Smart Card. and tried to reproduce this with Fabio's reproducer. Then I can reproduce this. But the symptom the customer encountered and I saw is a little bit different. so I would like to ask you to have a discussion further. Please refer to Test Case section. [1] https://manpages.ubuntu.com/manpages/noble/man5/sssd.conf.5.html [Test Case] * Windows 1. Deploy Windows Server and enable AD & CA 2. Create User Seyeong * Ubuntu 0. You need PIV auth support smartcard 1. sudo apt install libpam-sss opensc-pkcs11 pcscd libpam-pkcs11 sssd opensc sssd-dbus sssd-tools sssd-ad realmd adcli libpam-sss opensc-pkcs11 pcscd libpam-pkcs11 sssd opensc sssd-dbus sssd-tools yubico-piv-tool libengine-pkcs11-openssl libp11-3 opensc libssl-dev yubikey-manager ykcs11 yubico-piv-tools -y 2. # later than Oracular sudo apt install krb5-pkinit -y 3. make sure dns is working 4. check realm - sudo realm -v discover WIN-E7RF5O29H6J.seyeong.kim - sudo realm -v join WIN-E7RF5O29H6J.seyeong.kim 5. create CSR with smartcard ( create openssl.cnf with keyUsage, extendedKeyUsage, subjectAltName with UPN ) ykman piv reset -f yubico-piv-tool -a generate -s 9a -A RSA2048 export PKCS11_MODULE_PATH=/usr/lib/x86_64-linux-gnu/libykcs11.so openssl req -engine pkcs11 -keyform engine -new -key "pkcs11:object=Private key for PIV Authentication;type=private;pin-value=123456" -config openssl.cnf -reqexts v3_req -out seyeongkim.csr -multivalue-rdn cat seyeongkim.csr > openssl.cnf [ req ] default_bits = 2048 prompt = no default_md = sha256 req_extensions = v3_req distinguished_name = req_distinguished_name [ req_distinguished_name ] CN = Seyeong Kim OU = Users 0.DC = kim 1.DC = seyeong [ v3_req ] keyUsage = digitalSignature extendedKeyUsage = clientAuth subjectAltName = @alt_names [ alt_names ] otherName = 1.3.6.1.4.1.311.20.2.3;UTF8:[email protected] * Windows 1. copy the CSR to Windows and approve it. then download it * Ubuntu 1. convert der to pem - openssl x509 -in seyeongkim.der -out seyeongkimissued.pem -outform pem 2. import cert to smartcard yubico-piv-tool -a import-certificate -s 9a -i seyeongkimissued.pem 3. check if it is the same. pkcs15-tool --read-certificate 1 > card-cert.pem openssl x509 -text -noout -in card-cert.pem 4. convert ca cert der to pem. openssl x509 -in certnew.der -out cacert.crt -outform pem 5. setup ca cert in Ubuntu sudo rm /usr/local/share/ca-certificates/cacert.crt sudo rm /etc/ssl/certs/cacert.pem sudo cp cacert.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates 6. setup cert for sssd mkdir -p /etc/sssd/pki/ sudo rm /etc/sssd/pki/sssd_auth_ca_db.pem sudo touch /etc/sssd/pki/sssd_auth_ca_db.pem cat cacert.crt | sudo tee -a /etc/sssd/pki/sssd_auth_ca_db.pem 7. verification for setup openssl verify -verbose card-cert.pem openssl verify -verbose -CAfile /etc/sssd/pki/sssd_auth_ca_db.pem card-cert.pem systemctl restart sssd sudo dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat card-cert.pem)" uint32:10 8. use enforce mode for apparmor 9. setup sssd, krb5, pam - for sssd, setup it to support smartcard. matching by cert CN -- please refer to below example - [pam] - pam_cert_auth = True + [pam] + pam_cert_auth = True pam_cert_db_path = /etc/sssd/pki/sssd_auth_ca_db.pem - pam_verbosity = 2 - - [certmap/seyeong.kim/Seyeong] - matchrule = <SUBJECT>^CN=Seyeong.*$ - maprule = (userCertificate;binary={cert!bin}) + pam_verbosity = 2 + + [certmap/seyeong.kim/Seyeong] + matchrule = <SUBJECT>^CN=Seyeong.*$ + maprule = (userCertificate;binary={cert!bin}) [sssd] domains = seyeong.kim config_file_version = 2 services = nss, pam default_domain_suffix = seyeong.kim [domain/seyeong.kim] default_shell = /bin/bash ad_server = win-e7rf5o29h6j.seyeong.kim krb5_store_password_if_offline = True cache_credentials = True krb5_realm = SEYEONG.KIM - realmd_tags = manages-system joined-with-adcli + realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u@%d ad_domain = seyeong.kim use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad - ldap_user_certificate = userCertificate - ldap_user_search_base = DC=seyeong,DC=kim + ldap_user_certificate = userCertificate + ldap_user_search_base = DC=seyeong,DC=kim - for krb5, add AD info -- please refer to below example [libdefaults] udp_preference_limit = 0 default_realm = SEYEONG.KIM pkinit_anchors = FILE:/etc/sssd/pki/sssd_auth_ca_db.pem pkinit_kdc_hostname = WIN-E7RF5O29H6J.seyeong.kim pkinit_eku_checking = none #rdns = false #dns_lookup_realm = false [domain_realm] [plugins] - localauth = { - module = sssd:/usr/lib/x86_64-linux-gnu/sssd/modules/sssd_krb5_localauth_plugin.so - } + localauth = { + module = sssd:/usr/lib/x86_64-linux-gnu/sssd/modules/sssd_krb5_localauth_plugin.so + } - for pam, add "auth ... pam_sss.so try_cert_auth" for sssd checking -- add below line to /etc/pam.d/common-auth auth [success=3 default=ignore] pam_sss.so try_cert_auth allow_missing_name - - 10. check the syslog + 10. su - Seyeong ( login Seyeong under Oracular ) + Expected: + # su - Seyeong + PIN for Seyeong Kim: + + Actual: + No PIN prompt and skip PIV authentication. + + 11. related logs below First, I got DENIED like belows.( /etc/sssd/pki/ and /etc/sssd/pki/** r not included but it affects) Jun 1 23:27:52 seyeongkim kernel: [ 424.733567] audit: type=1400 audit(1748820472.096:99): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/proc/12852/cmdline" pid=858 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:04 seyeongkim kernel: [ 437.104690] audit: type=1400 audit(1748820484.468:100): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:04 seyeongkim sssd[12855]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release Jun 1 23:28:04 seyeongkim kernel: [ 437.106850] audit: type=1400 audit(1748820484.472:101): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:17 seyeongkim sssd[12856]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release Jun 1 23:28:17 seyeongkim kernel: [ 449.783639] audit: type=1400 audit(1748820497.148:102): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:17 seyeongkim kernel: [ 449.784694] audit: type=1400 audit(1748820497.148:103): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 then I added them to apparmor profile /etc/sssd/pki/ r, /etc/sssd/pki/** r, @{PROC}/[0-9]*/cmdline r, /usr/share/p11-kit/modules/ r, /usr/share/p11-kit/modules/** r, /etc/ssl/openssl.cnf r, But I encountered the other DENIEDs ( I could use auth with smartcard this point ) Jun 1 23:57:42 seyeongkim kernel: [ 2215.357322] audit: type=1400 audit(1748822262.770:188): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.357860] audit: type=1400 audit(1748822262.770:189): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.359017] audit: type=1400 audit(1748822262.770:190): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/opensc/opensc.conf" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.363484] audit: type=1400 audit(1748822262.774:191): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.363606] audit: type=1400 audit(1748822262.774:192): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 /run/pcscd/* wr, /etc/machine-id r, /etc/opensc/opensc.conf r, With recent test, I collected net_admin DENIED which is the customer reported as well. Jun 23 04:02:18 jammy kernel: [ 5192.259462] audit: type=1400 audit(1750651338.792:71): apparmor="DENIED" operation="capable" profile="/usr/sbin/sssd" pid=1780 comm="krb5_child" capability=12 capname="net_admin" For me, above was the reproducer but the customer mentioned that they need to add belows by testing. capability net_admin, // removed in code /etc/sssd/pki/ r, /etc/sssd/pki/** r, /usr/share/p11-kit/modules/ r, /usr/share/p11-kit/modules/* r, /run/pcscd/* wr, // /{,var/}run/pcscd/pcscd.comm rw, changed /etc/machine-id r, /etc/opensc/opensc.conf r, [Where problems could occur] This change grants additional read and write access to files required for smartcard-based authentication, such as /etc/sssd/pki/, /etc/machine-id, and /{,var/}run/pcscd/pcscd.comm. These files are essential for establishing trust chains, retrieving system identity, and enabling communication with the pcscd daemon. While these permissions are necessary for correct functionality, especially when using hardware-backed PIV smartcards with sssd, they may broaden the attack surface if misused. Therefore, these additions should be reviewed under strict confinement principles, ensuring they are only granted to trusted components such as sssd and its helper processes. [Others]
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2109673 Title: Authentication with smartcard is not working with apparmor DENIED To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2109673/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
