Ubuntu
sssd package

SSSD upgrade breaking p11_child and smartcard stops working

Bug #1981289 reported by rajeev agrawal
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Incomplete
Undecided
Marco Trevisan (Treviño)
Focal
In Progress
Medium
Unassigned

Bug Description

Facing issue with using smartcard for active directory users after upgrading the SSSD packages from sssd_2.2.3-3_amd64.deb to sssd_2.2.3-3ubuntu0.8_amd64.deb

Also we are facing issue that sssd is crashing if we upgrade only samba and not sssd packages

We tried the steps mentioned a part of below bug:
Referance : https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563/comments/4

Tried below solutions
1) Updating certificate path :
/etc/sssd/sssd.conf

[pam]
pam_cert_db_path = /etc/ssl/certs/ca-certificates.crt

2)

add any mapping/filter rules to the /etc/sssd/sssd.conf for p11_child
upadte /usr/share/pam-configs/sss to Priority 800, rebuild pam stack, dpkg-divert /usr/share/pam-configs/sss
add the root and issuing certs to /usr/local/share/ca-certificates, rebuild system trust store
generate a new, empty nssdb
/usr/bin/certutil -N -d sql:/etc/pki/nssdb --empty-password
when adding the certs to nssdb, only add the Issuing CA WITH CT,C,C flags
certutil -A -d /etc/pki/nssdb -n issuingCA.crt -t "CT,C,C" -i /usr/local/share/ca-certificates/issuingCA.pem
enable openSC
modutil -force -dbdir /etc/pki/nssdb -add "OpenSC" -libfile opensc-pkcs11.so
test PKI auth works
login or:
/usr/libexec/sssd/p11_child --nssdb=/etc/pki/nssdb --pre -d 10 --debug-fd=1 --verify no_ocsp
perform upgrade to latest sssd
verify the /etc/sssd/pki/sssd_auth_ca_db.pem is populated only with the issuingCA
test p11_child to see if it breaks
/usr/libexec/sssd/p11_child --debug-microseconds=0 --debug-timestamps=1 --debug-fd=23 --debug-level=0xf7f0 --pre --verify no_ocsp --nssdb /etc/sssd/pki/sssd_auth_ca_db.pem
fix it:

add the /usr/local/share/ca-certificates/rootCA.pem >> /etc/sssd/pki/sssd_auth_ca_db.pem
run p11_child again, observe that it works
try to login
Brick your system procedure:
After above test procedure works:

configure for MFA on old sssd
populate the below to /usr/share/pam-configs/sss-smartcardonly
pam-auth-update --package --enable sss-smartcardonly --remove sss --force
verify only smart card is allowed to login
apt upgrade
reboot, login no longer allowed
Note that SSHing into the system may be allowed, depending on ssh configuration and if sss_ssh_authroizedkeys is enabled.

Name: SSS authentication - Requires Smartcard
Default: yes
Conflicts: sss
Priority: 800

Auth-Type: Primary
Auth:
[success=end default=ignore] pam_sss.so use_first_pass require_cert_auth
Auth-Initial:
[success=end default=ignore] pam_sss.so forward_pass require_cert_auth
Account-Type: Additional
Account:
sufficient pam_localuser.so
[default=bad success=ok user_unknown=ignore] pam_sss.so
Session-Type: Additional
Session-Interactive-Only: yes
Session:
optional pam_sss.so
Password-Type: Primary
Password:
sufficient pam_sss.so use_authtok
Password-Initial:
sufficient pam_sss.so

3) After tring 2nd solution : issue was to recognize the certificate
Fix certificate issue by moving certificates to DHC path

It is not able to read token information, hence not detecting certificate during login

Can you please help us know if we are missing anything.

Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

Ok, so we need to backport the fixes for focal that landed upstream, and then the configuration value can be set to `certification_verification = partial_chain`

Revision history for this message
rajeev agrawal (omap4430) wrote :

yes we need to backport as currently p11_child functionality is broken .
If we can do that it will resolve smartcard issues .

Revision history for this message
Paride Legovini (paride) wrote :

Hello Rajeev,

Just double checking: you mention that you hit the bug "upgrading the SSSD packages from sssd_2.2.3-3_amd64.deb to sssd_2.2.3-3ubuntu0.8_amd64.deb". So am I right in that:

- The package was working fine on Focal (version 2.2.3-3)
- You enabled security updates and installed 2.2.3-3ubuntu0.8
- You hit this bug (so this is a security regression)

Thanks.

Changed in sssd (Ubuntu):
status: New → Incomplete
Revision history for this message
rajeev agrawal (omap4430) wrote :

yes correct this is a security regression bug

Lena Voytek (lvoytek)
Changed in sssd (Ubuntu Focal):
status: New → Confirmed
Lena Voytek (lvoytek)
tags: added: regression-update
Revision history for this message
rajeev agrawal (omap4430) wrote :

Any update when can we get the fix for this issue

Marco Trevisan (Treviño) (3v1n0)
Changed in sssd (Ubuntu):
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
Marco Trevisan (Treviño) (3v1n0)
Changed in sssd (Ubuntu Focal):
status: Confirmed → In Progress
importance: Undecided → High
importance: High → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.