Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

slow smartcard interactions break sssd when PKINIT is configured #5067

Closed
sssd-bot opened this issue May 2, 2020 · 1 comment
Closed

slow smartcard interactions break sssd when PKINIT is configured #5067

sssd-bot opened this issue May 2, 2020 · 1 comment
Assignees
@sumit-bose
Labels
Future milestone Needs triage

Comments

@sssd-bot
Copy link

sssd-bot commented May 2, 2020

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/4103

  • Created at 2019-10-18 21:34:51 by ralston
  • Assigned to nobody

I am struggling to get smartcard authentication working on RHEL7, using sssd-1.16.4-21.el7 and krb5 PKINIT against Microsoft Active Directory KDCs.

When PKINIT is correctly configured in krb5.conf, multiple code paths in sssd wind up attempting to interact with the smartcard reader, including probing any inserted card.

This is a problem, because some reader/card combinations are slow enough to trigger internal timeouts in sssd.

For example, if you connect an SCM Microsystems SCR 3310 reader, and insert a CAC into it, sssd spends so long attempting to interact with the card that it completely breaks, reporting:

(Fri Oct 18 14:07:51 2019) [sssd[be[example.org]]] [dp_req_reply_std] (0x1000): DP Request [Subdomains #0]: Returning [Provider is Offline]: 1,1432158212,Offline

First, I would argue this is a bug. The provider didn't time out; sssd mistakenly thought it did because it failed to distinguish the time waiting for the provider versus the time it spent attempting to interact with the CAC.

Second, why is sssd attempting to interact with the card at startup? Or, for that matter, at any other time than when a PKINIT-eligible PAM service is called?

To avoid this, I had to apply these settings for the domain:

ldap_search_timeout = 60
ldap_network_timeout = 60
ldap_opt_timeout = 60

But again, I shouldn't have to do this. Running getent passwd foo shouldn't take 30 seconds (I timed it) versus a fraction of a second just because there is a smartcard inserted in the reader.

Is this an issue that has been addressed in later versions of sssd? sssd-1.16.4-21.el7 is pretty old at this point, I know, but I am stuck with RHEL7; I cannot move to RHEL8 yet.

Thanks.

Comments

Comment from sbose at 2019-10-21 10:55:42

Hi,

I assume you have set pkinit_identities in your /etc/krb5.conf, in this case a related issues was reported in https://bugzilla.redhat.com/show_bug.cgi?id=1704199 as well.

The reason is that SSSD's helper program ldap_child uses the given Kerberos configuration to request a ticket to access the LDAP service. With pkinit_identities set and krb5-pkinit installed libkkrb5 will check if PKINIT is available.

This is currently not fixed in any version, but as a workaround you can either remove pkinit_identities from /etc/krb5.conf. Or if you prefer to keep it to make manually kinit more easy you can run SSSD with an individual Kerberos configuration. For this

  • copy /etc/krb5.conf to e.g. /etc/krb5.conf.sss and remove pkinit_identities from the copy
  • add KRB5_CONFIG=/etc/krb5.conf.sssd to /etc/sysconfig/sssd
  • restart SSSD

HTH

bye,
Sumit

Comment from thalman at 2020-03-13 15:27:03

Metadata Update from @thalman:

  • Issue tagged with: Future milestone
@sumit-bose
Copy link
Contributor

Hi,

this was fixed by 580d618 in the context of https://pagure.io/SSSD/sssd/issue/4126

Closing this ticket here.

bye,
Sumit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sumit-bose sumit-bose

Labels
Future milestone Needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@andreboscatto @sumit-bose @sssd-bot