GDM password prompt when cert mapped to multiple users and promptusername is False #5190

sumit-bose · 2020-06-03T18:44:56Z

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1507683

Description of problem:

Smart Card login to GDM on IPA client with certificate mapped to multiple users
is behaving unexpectedly when promptusername is set to False.  When I insert
the card and GDM at login screen, it blanks.  Then it goes to a "Password"
prompt.  There is no indication of which user this is for.

Version-Release number of selected component (if applicable):
gdm-3.22.3-12.el7.x86_64
sssd-1.15.2-50.el7_4.6.x86_64
ipa-client-4.5.0-21.el7_4.2.2.x86_64


How reproducible:
always on my local test VMs.

Steps to Reproduce:
1. Setup IPA server and client with smart card cert mapped to two users

2. set promptusername to false

ipa certmapconfig-mod --promptusername=False

3. Connect smart card reader to client and insert card

Actual results:

password prompt

Expected results:

error message or simply return to user list login screen.

Additional info:

The text was updated successfully, but these errors were encountered:

sumit-bose · 2020-06-03T18:46:54Z

Issue linked to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1507683

sumit-bose · 2020-06-03T18:47:31Z

Issue linked to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1551077

Resolves: SSSD#5190 (cherry picked with changes from commit 8db6c6c)

The gdm-smartcard service is special since it is triggered by the presence of a Smartcard and even in the case of an error it will immediately try again. To break this loop we should ask for an user input and asking for a PIN is most straight forward and would show the same behavior as pam_pkcs11. Additionally it does not make sense to fall back the a password prompt for gdm-smartcard so also here a PIN prompt should be shown. Resolves: SSSD#5190 (cherry picked with changes from commit f1cebb7)

Resolves: SSSD#5190

The gdm-smartcard service is special since it is triggered by the presence of a Smartcard and even in the case of an error it will immediately try again. To break this loop we should ask for an user input and asking for a PIN is most straight forward and would show the same behavior as pam_pkcs11. Additionally it does not make sense to fall back the a password prompt for gdm-smartcard so also here a PIN prompt should be shown. Resolves: SSSD#5190

Resolves: SSSD#5190 (cherry picked with changes from commit 8db6c6c)

The gdm-smartcard service is special since it is triggered by the presence of a Smartcard and even in the case of an error it will immediately try again. To break this loop we should ask for an user input and asking for a PIN is most straight forward and would show the same behavior as pam_pkcs11. Additionally it does not make sense to fall back the a password prompt for gdm-smartcard so also here a PIN prompt should be shown. Resolves: SSSD#5190 (cherry picked with changes from commit f1cebb7)

The gdm-smartcard service is special since it is triggered by the presence of a Smartcard and even in the case of an error it will immediately try again. To break this loop we should ask for an user input and asking for a PIN is most straight forward and would show the same behavior as pam_pkcs11. Additionally it does not make sense to fall back the a password prompt for gdm-smartcard so also here a PIN prompt should be shown. Resolves: #5190 Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

pbrezina · 2020-06-05T09:01:09Z

Pushed PR: #5192

master
- 3ed2547 - pam_sss: special handling for gdm-smartcard
- 26c794d - pam_sss: add SERVICE_IS_GDM_SMARTCARD

Resolves: #5190 (cherry picked with changes from commit 26c794d) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

The gdm-smartcard service is special since it is triggered by the presence of a Smartcard and even in the case of an error it will immediately try again. To break this loop we should ask for an user input and asking for a PIN is most straight forward and would show the same behavior as pam_pkcs11. Additionally it does not make sense to fall back the a password prompt for gdm-smartcard so also here a PIN prompt should be shown. Resolves: #5190 (cherry picked with changes from commit 3ed2547) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

pbrezina · 2020-06-05T09:09:40Z

Pushed PR: #5193

sssd-1-16
- 5b727ab156d4efc84e41b3306898102a8e572a05 - pam_sss: special handling for gdm-smartcard
- 77e44c3a67f58b776a0f505bbdba9718f4e1d714 - pam_sss: add SERVICE_IS_GDM_SMARTCARD

alexey-tikhonov · 2020-06-05T16:33:18Z

Pushed PR: #5193

* `sssd-1-16`
  
  * 5b727ab156d4efc84e41b3306898102a8e572a05 - pam_sss: special handling for gdm-smartcard
  * 77e44c3a67f58b776a0f505bbdba9718f4e1d714 - pam_sss: add SERVICE_IS_GDM_SMARTCARD

Seems proper hashes are:

alexey-tikhonov · 2020-06-10T14:40:15Z

RHEL8 BZs:

To avoid that certificates will be shown in the certificate selection which are not available anymore they must be remove before a new request to look up the certificates is send to SSSD's PAM responder. Resolves: SSSD#5190

To avoid that certificates will be shown in the certificate selection which are not available anymore they must be remove before a new request to look up the certificates is send to SSSD's PAM responder. Resolves: #5190 Reviewed-by: Pavel Březina <pbrezina@redhat.com>

pbrezina · 2020-06-24T14:17:48Z

Pushed PR: #5212

master
- 31e5743 - pam_sss: make sure old certificate data is removed before retry

Resolves: SSSD#5190 (cherry picked with changes from commit 26c794d) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

The gdm-smartcard service is special since it is triggered by the presence of a Smartcard and even in the case of an error it will immediately try again. To break this loop we should ask for an user input and asking for a PIN is most straight forward and would show the same behavior as pam_pkcs11. Additionally it does not make sense to fall back the a password prompt for gdm-smartcard so also here a PIN prompt should be shown. Resolves: SSSD#5190 (cherry picked with changes from commit 3ed2547) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

Resolves: SSSD#5190 (cherry picked with changes from commit 26c794d) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

The gdm-smartcard service is special since it is triggered by the presence of a Smartcard and even in the case of an error it will immediately try again. To break this loop we should ask for an user input and asking for a PIN is most straight forward and would show the same behavior as pam_pkcs11. Additionally it does not make sense to fall back the a password prompt for gdm-smartcard so also here a PIN prompt should be shown. Resolves: SSSD#5190 (cherry picked with changes from commit 3ed2547) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

alexey-tikhonov assigned sumit-bose Jun 3, 2020

sumit-bose added a commit to sumit-bose/sssd that referenced this issue Jun 4, 2020

pam_sss: add SERVICE_IS_GDM_SMARTCARD

8dec17f

Resolves: SSSD#5190 (cherry picked with changes from commit 8db6c6c)

sumit-bose added a commit to sumit-bose/sssd that referenced this issue Jun 4, 2020

pam_sss: add SERVICE_IS_GDM_SMARTCARD

8db6c6c

Resolves: SSSD#5190

sumit-bose mentioned this issue Jun 4, 2020

pam_sss: special handling for gdm-smartcard #5192

Closed

sumit-bose added a commit to sumit-bose/sssd that referenced this issue Jun 5, 2020

pam_sss: add SERVICE_IS_GDM_SMARTCARD

3196333

Resolves: SSSD#5190 (cherry picked with changes from commit 8db6c6c)

sumit-bose mentioned this issue Jun 5, 2020

pam_sss: special handling for gdm-smartcard (sssd-1-16) #5193

Closed

pbrezina closed this as completed in 26c794d Jun 5, 2020

pbrezina added the Closed: Fixed Issue was closed as fixed. label Jun 5, 2020

pbrezina pushed a commit that referenced this issue Jun 5, 2020

pam_sss: add SERVICE_IS_GDM_SMARTCARD

89e9444

Resolves: #5190 (cherry picked with changes from commit 26c794d) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

alexey-tikhonov added the Bugzilla label Jun 10, 2020

sumit-bose mentioned this issue Jun 19, 2020

pam_sss: make sure old certificate data is removed before retry #5212

Closed

etrunko pushed a commit to etrunko/sssd that referenced this issue Nov 16, 2023

pam_sss: add SERVICE_IS_GDM_SMARTCARD

efb24da

Resolves: SSSD#5190 (cherry picked with changes from commit 26c794d) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

etrunko pushed a commit to etrunko/sssd that referenced this issue Nov 16, 2023

pam_sss: add SERVICE_IS_GDM_SMARTCARD

44e3cae

Resolves: SSSD#5190 (cherry picked with changes from commit 26c794d) Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GDM password prompt when cert mapped to multiple users and promptusername is False #5190

GDM password prompt when cert mapped to multiple users and promptusername is False #5190

sumit-bose commented Jun 3, 2020

sumit-bose commented Jun 3, 2020

sumit-bose commented Jun 3, 2020

pbrezina commented Jun 5, 2020

pbrezina commented Jun 5, 2020

alexey-tikhonov commented Jun 5, 2020

alexey-tikhonov commented Jun 10, 2020 •

edited

Loading

pbrezina commented Jun 24, 2020

GDM password prompt when cert mapped to multiple users and promptusername is False #5190

GDM password prompt when cert mapped to multiple users and promptusername is False #5190

Comments

sumit-bose commented Jun 3, 2020

sumit-bose commented Jun 3, 2020

sumit-bose commented Jun 3, 2020

pbrezina commented Jun 5, 2020

pbrezina commented Jun 5, 2020

alexey-tikhonov commented Jun 5, 2020

alexey-tikhonov commented Jun 10, 2020 • edited Loading

pbrezina commented Jun 24, 2020

alexey-tikhonov commented Jun 10, 2020 •

edited

Loading