pam_sss with smartcard auth does not create gnome keyring #5035

sssd-bot · 2020-05-02T13:59:44Z

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/4067

Created at 2019-08-19 17:37:36 by sbose
Closed at 2019-08-23 18:53:24 as Fixed
Assigned to sbose
Associated bugzillas
- https://bugzilla.redhat.com/show_bug.cgi?id=1676385

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1676385

Description of problem:
I want to auto unlock the gnome keyring on login. If the 'login' keyring does
not exist it should be created using the smartcard PIN provided by the user as
password. This worked in RHEL7 with pam_pkcs11 but does not seem to work with
pam_sss, i get the following error:

gdm-smartcard][19194]: gkr-pam: no password is available for user

It seems like pam_sss does not let other pam modules use the provided PIN even
though 'forward_pass' is specified.


/etc/pam.d/gdm-smartcard:
auth        substack      smartcard-auth
auth        optional      pam_gnome_keyring.so
auth        include       postlogin

account     required      pam_nologin.so
account     include       smartcard-auth

password    include       smartcard-auth

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     optional      pam_console.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     include       smartcard-auth
session     optional      pam_gnome_keyring.so auto_start
session     include       postlogin


Version-Release number of selected component (if applicable):
sssd-2.0.0-21.el8.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Add pam_gnome_keyring to /etc/pam.d/gdm-smartcard
2. Login using pam_sss and smartcard
3.

Actual results:
'login' keyring is not created.

Expected results:
'login' keyring should be created using my smartcard PIN as password

Additional info: