Description of problem:

If users have multiple hardware tokens inserted in the system at the same time, SSSD only checks one of these tokens for a certificate that can be used for authentication. If it does not find one, it fails to examine the other hardware tokens for a valid certificate.

While SSSD can be configured to only use a token in a specific reader (with the p11_uri configuration option in sssd.conf), this is not workable in practice. Different users may not even be capable of utilizing the same reader on the system, as their tokens may take different form factors.

This problem has been identified upstream: https://github.com/SSSD/sssd/issues/5025

Version-Release number of selected component (if applicable):
sssd-2.4.0-9.el8_4.1.x86_64 (currently affects upstream SSSD as well)

How reproducible:
Always

Steps to Reproduce:
1. Configure a system to perform smart card authentication using SSSD.
2. Insert two separate smart cards into separate smart card readers. One smart card should contain a certificate that SSSD can use for authentication. The other smart card should NOT.
3. Attempt to authenticate to the system after booting, logging out, or locking the screen. If the system prompts for the smart card PIN at this point, then remove both smart cards, and insert each card in the opposite smart card reader.

Actual results:
The system does not prompt the user for the smart card PIN, since SSSD does not recognize that a valid certificate is present on one of the smart cards.

Expected results:
SSSD should detect that a valid certificate is present, and ask the user to authenticate to the smart card on which that certificate resides.