@ahasenack Thanks so much for detail review. I've updated the description. Please let me know if you need anything more.
** Description changed: [Impact] Hello One of our customers attempted to use a smartcard for authentication in an sssd & Windows AD environment, but encountered apparmor denials that prevented it from working properly. They use enforce mode for apparmor In the beginning they only mentioned /etc/sssd/pki/ and /etc/sssd/pki/** r, also doc [1] mentioned the guide. so I only mentioned it here. After that, the customer added contents more they faced apparmor DENIED. Then I thought I needed a reproducer about this. so I ordered Yubikey 5 NFC which supports the PIV Smart Card. and tried to reproduce this with Fabio's reproducer. Then I can reproduce this. But the symptom the customer encountered and I saw is a little bit different. so I would like to ask you to have a discussion further. Please refer to Test Case section. [1] https://manpages.ubuntu.com/manpages/noble/man5/sssd.conf.5.html [Test Case] * Windows 1. Deploy Windows Server and enable AD & CA 2. Create User Seyeong * Ubuntu 0. You need PIV auth support smartcard 1. sudo apt install libpam-sss opensc-pkcs11 pcscd libpam-pkcs11 sssd opensc sssd-dbus sssd-tools sssd-ad realmd adcli libpam-sss opensc-pkcs11 pcscd libpam-pkcs11 sssd opensc sssd-dbus sssd-tools yubico-piv-tool libengine-pkcs11-openssl libp11-3 opensc libssl-dev yubikey-manager ykcs11 yubico-piv-tools -y 2. # later than Oracular sudo apt install krb5-pkinit -y 3. make sure dns is working 4. check realm - sudo realm -v discover WIN-E7RF5O29H6J.seyeong.kim - sudo realm -v join WIN-E7RF5O29H6J.seyeong.kim 5. create CSR with smartcard ( create openssl.cnf with keyUsage, extendedKeyUsage, subjectAltName with UPN ) ykman piv reset -f yubico-piv-tool -a generate -s 9a -A RSA2048 export PKCS11_MODULE_PATH=/usr/lib/x86_64-linux-gnu/libykcs11.so openssl req -engine pkcs11 -keyform engine -new -key "pkcs11:object=Private key for PIV Authentication;type=private;pin-value=123456" -config openssl.cnf -reqexts v3_req -out seyeongkim.csr -multivalue-rdn cat seyeongkim.csr > openssl.cnf [ req ] default_bits = 2048 prompt = no default_md = sha256 req_extensions = v3_req distinguished_name = req_distinguished_name [ req_distinguished_name ] CN = Seyeong Kim OU = Users 0.DC = kim 1.DC = seyeong [ v3_req ] keyUsage = digitalSignature extendedKeyUsage = clientAuth subjectAltName = @alt_names [ alt_names ] otherName = 1.3.6.1.4.1.311.20.2.3;UTF8:[email protected] * Windows 1. copy the CSR to Windows and approve it. then download it * Ubuntu 1. convert der to pem - openssl x509 -in seyeongkim.der -out seyeongkimissued.pem -outform pem 2. import cert to smartcard yubico-piv-tool -a import-certificate -s 9a -i seyeongkimissued.pem 3. check if it is the same. pkcs15-tool --read-certificate 1 > card-cert.pem openssl x509 -text -noout -in card-cert.pem 4. convert ca cert der to pem. openssl x509 -in certnew.der -out cacert.crt -outform pem 5. setup ca cert in Ubuntu sudo rm /usr/local/share/ca-certificates/cacert.crt sudo rm /etc/ssl/certs/cacert.pem sudo cp cacert.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates 6. setup cert for sssd mkdir -p /etc/sssd/pki/ sudo rm /etc/sssd/pki/sssd_auth_ca_db.pem sudo touch /etc/sssd/pki/sssd_auth_ca_db.pem cat cacert.crt | sudo tee -a /etc/sssd/pki/sssd_auth_ca_db.pem 7. verification for setup openssl verify -verbose card-cert.pem openssl verify -verbose -CAfile /etc/sssd/pki/sssd_auth_ca_db.pem card-cert.pem systemctl restart sssd sudo dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat card-cert.pem)" uint32:10 8. use enforce mode for apparmor 9. setup sssd, krb5, pam - for sssd, setup it to support smartcard. matching by cert CN -- please refer to below example [pam] pam_cert_auth = True pam_cert_db_path = /etc/sssd/pki/sssd_auth_ca_db.pem pam_verbosity = 2 [certmap/seyeong.kim/Seyeong] matchrule = <SUBJECT>^CN=Seyeong.*$ maprule = (userCertificate;binary={cert!bin}) [sssd] domains = seyeong.kim config_file_version = 2 services = nss, pam default_domain_suffix = seyeong.kim [domain/seyeong.kim] default_shell = /bin/bash ad_server = win-e7rf5o29h6j.seyeong.kim krb5_store_password_if_offline = True cache_credentials = True krb5_realm = SEYEONG.KIM realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u@%d ad_domain = seyeong.kim use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad ldap_user_certificate = userCertificate ldap_user_search_base = DC=seyeong,DC=kim - for krb5, add AD info -- please refer to below example [libdefaults] udp_preference_limit = 0 default_realm = SEYEONG.KIM pkinit_anchors = FILE:/etc/sssd/pki/sssd_auth_ca_db.pem pkinit_kdc_hostname = WIN-E7RF5O29H6J.seyeong.kim pkinit_eku_checking = none #rdns = false #dns_lookup_realm = false [domain_realm] [plugins] localauth = { module = sssd:/usr/lib/x86_64-linux-gnu/sssd/modules/sssd_krb5_localauth_plugin.so } - for pam, add "auth ... pam_sss.so try_cert_auth" for sssd checking -- add below line to /etc/pam.d/common-auth auth [success=3 default=ignore] pam_sss.so try_cert_auth allow_missing_name 10. su - Seyeong ( login Seyeong under Oracular ) Expected: # su - Seyeong PIN for Seyeong Kim: Actual: No PIN prompt and skip PIV authentication. - 11. related logs below + [Where problems could occur] + This change grants additional read and write access to files required for smartcard-based authentication, + such as /etc/sssd/pki/, /etc/machine-id, and /{,var/}run/pcscd/pcscd.comm. These files are essential + for establishing trust chains, retrieving system identity, and enabling communication with the pcscd daemon. + While these permissions are necessary for correct functionality, especially when using hardware-backed + PIV smartcards with sssd, they may broaden the attack surface if misused. + Therefore, these additions should be reviewed under strict confinement principles, ensuring they are only + granted to trusted components such as sssd and its helper processes. + + [Others] + + Related logs below First, I got DENIED like belows.( /etc/sssd/pki/ and /etc/sssd/pki/** r not included but it affects) Jun 1 23:27:52 seyeongkim kernel: [ 424.733567] audit: type=1400 audit(1748820472.096:99): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/proc/12852/cmdline" pid=858 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:04 seyeongkim kernel: [ 437.104690] audit: type=1400 audit(1748820484.468:100): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:04 seyeongkim sssd[12855]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release Jun 1 23:28:04 seyeongkim kernel: [ 437.106850] audit: type=1400 audit(1748820484.472:101): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:17 seyeongkim sssd[12856]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release Jun 1 23:28:17 seyeongkim kernel: [ 449.783639] audit: type=1400 audit(1748820497.148:102): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:17 seyeongkim kernel: [ 449.784694] audit: type=1400 audit(1748820497.148:103): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 then I added them to apparmor profile /etc/sssd/pki/ r, /etc/sssd/pki/** r, @{PROC}/[0-9]*/cmdline r, /usr/share/p11-kit/modules/ r, /usr/share/p11-kit/modules/** r, /etc/ssl/openssl.cnf r, But I encountered the other DENIEDs ( I could use auth with smartcard this point ) Jun 1 23:57:42 seyeongkim kernel: [ 2215.357322] audit: type=1400 audit(1748822262.770:188): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.357860] audit: type=1400 audit(1748822262.770:189): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.359017] audit: type=1400 audit(1748822262.770:190): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/opensc/opensc.conf" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.363484] audit: type=1400 audit(1748822262.774:191): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.363606] audit: type=1400 audit(1748822262.774:192): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 /run/pcscd/* wr, /etc/machine-id r, /etc/opensc/opensc.conf r, With recent test, I collected net_admin DENIED which is the customer reported as well. Jun 23 04:02:18 jammy kernel: [ 5192.259462] audit: type=1400 audit(1750651338.792:71): apparmor="DENIED" operation="capable" profile="/usr/sbin/sssd" pid=1780 comm="krb5_child" capability=12 capname="net_admin" For me, above was the reproducer but the customer mentioned that they need to add belows by testing. capability net_admin, // removed in code /etc/sssd/pki/ r, /etc/sssd/pki/** r, /usr/share/p11-kit/modules/ r, /usr/share/p11-kit/modules/* r, /run/pcscd/* wr, // /{,var/}run/pcscd/pcscd.comm rw, changed /etc/machine-id r, /etc/opensc/opensc.conf r, - - [Where problems could occur] - This change grants additional read and write access to files required for smartcard-based authentication, - such as /etc/sssd/pki/, /etc/machine-id, and /{,var/}run/pcscd/pcscd.comm. These files are essential - for establishing trust chains, retrieving system identity, and enabling communication with the pcscd daemon. - While these permissions are necessary for correct functionality, especially when using hardware-backed - PIV smartcards with sssd, they may broaden the attack surface if misused. - Therefore, these additions should be reviewed under strict confinement principles, ensuring they are only - granted to trusted components such as sssd and its helper processes. - - [Others] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2109673 Title: Authentication with smartcard is not working with apparmor DENIED To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2109673/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
