You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am struggling to get smartcard authentication working on RHEL7, using sssd-1.16.4-21.el7 and krb5 PKINIT against Microsoft Active Directory KDCs.
When PKINIT is correctly configured in krb5.conf, multiple code paths in sssd wind up attempting to interact with the smartcard reader, including probing any inserted card.
This is a problem, because some reader/card combinations are slow enough to trigger internal timeouts in sssd.
For example, if you connect an SCM Microsystems SCR 3310 reader, and insert a CAC into it, sssd spends so long attempting to interact with the card that it completely breaks, reporting:
(Fri Oct 18 14:07:51 2019) [sssd[be[example.org]]] [dp_req_reply_std] (0x1000): DP Request [Subdomains #0]: Returning [Provider is Offline]: 1,1432158212,Offline
First, I would argue this is a bug. The provider didn't time out; sssd mistakenly thought it did because it failed to distinguish the time waiting for the provider versus the time it spent attempting to interact with the CAC.
Second, why is sssd attempting to interact with the card at startup? Or, for that matter, at any other time than when a PKINIT-eligible PAM service is called?
To avoid this, I had to apply these settings for the domain:
But again, I shouldn't have to do this. Running getent passwd foo shouldn't take 30 seconds (I timed it) versus a fraction of a second just because there is a smartcard inserted in the reader.
Is this an issue that has been addressed in later versions of sssd? sssd-1.16.4-21.el7 is pretty old at this point, I know, but I am stuck with RHEL7; I cannot move to RHEL8 yet.
The reason is that SSSD's helper program ldap_child uses the given Kerberos configuration to request a ticket to access the LDAP service. With pkinit_identities set and krb5-pkinit installed libkkrb5 will check if PKINIT is available.
This is currently not fixed in any version, but as a workaround you can either remove pkinit_identities from /etc/krb5.conf. Or if you prefer to keep it to make manually kinit more easy you can run SSSD with an individual Kerberos configuration. For this
copy /etc/krb5.conf to e.g. /etc/krb5.conf.sss and remove pkinit_identities from the copy
add KRB5_CONFIG=/etc/krb5.conf.sssd to /etc/sysconfig/sssd
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/4103
I am struggling to get smartcard authentication working on RHEL7, using sssd-1.16.4-21.el7 and krb5 PKINIT against Microsoft Active Directory KDCs.
When PKINIT is correctly configured in krb5.conf, multiple code paths in sssd wind up attempting to interact with the smartcard reader, including probing any inserted card.
This is a problem, because some reader/card combinations are slow enough to trigger internal timeouts in sssd.
For example, if you connect an SCM Microsystems SCR 3310 reader, and insert a CAC into it, sssd spends so long attempting to interact with the card that it completely breaks, reporting:
First, I would argue this is a bug. The provider didn't time out; sssd mistakenly thought it did because it failed to distinguish the time waiting for the provider versus the time it spent attempting to interact with the CAC.
Second, why is sssd attempting to interact with the card at startup? Or, for that matter, at any other time than when a PKINIT-eligible PAM service is called?
To avoid this, I had to apply these settings for the domain:
But again, I shouldn't have to do this. Running
getent passwd foo
shouldn't take 30 seconds (I timed it) versus a fraction of a second just because there is a smartcard inserted in the reader.Is this an issue that has been addressed in later versions of sssd? sssd-1.16.4-21.el7 is pretty old at this point, I know, but I am stuck with RHEL7; I cannot move to RHEL8 yet.
Thanks.
Comments
Comment from sbose at 2019-10-21 10:55:42
Hi,
I assume you have set
pkinit_identities
in your/etc/krb5.conf
, in this case a related issues was reported in https://bugzilla.redhat.com/show_bug.cgi?id=1704199 as well.The reason is that SSSD's helper program
ldap_child
uses the given Kerberos configuration to request a ticket to access the LDAP service. Withpkinit_identities
set andkrb5-pkinit
installed libkkrb5 will check if PKINIT is available.This is currently not fixed in any version, but as a workaround you can either remove
pkinit_identities
from/etc/krb5.conf
. Or if you prefer to keep it to make manually kinit more easy you can run SSSD with an individual Kerberos configuration. For this/etc/krb5.conf
to e.g./etc/krb5.conf.sss
and removepkinit_identities
from the copyKRB5_CONFIG=/etc/krb5.conf.sssd
to /etc/sysconfig/sssdHTH
bye,
Sumit
Comment from thalman at 2020-03-13 15:27:03
Metadata Update from @thalman:
The text was updated successfully, but these errors were encountered: