-
Bug
-
Resolution: Done-Errata
-
Major
-
rhel-9.5
-
sssd-2.9.5-4.el9_5.1
-
Yes
-
Low
-
ZStream, 0day
-
rhel-sst-idm-sssd
-
ssg_idm
-
1
-
False
-
-
None
-
None
-
Pass
-
Automated
-
None
Cloned from https://github.com/SSSD/sssd/issues/7532
```
We are starting to run into some issues with offline smart card authentication with EL9/CS9 systems. Currently I have a CS9 laptop that when I brought it home I could no longer log in - I get a "Please (re)insert (different) smartcard" message.
...
here's the difference:
- ldbsearch -H /var/lib/sss/db/cache_nwra.com.ldb name=orion@ad.nwra.com | grep -Fi auth
asq: Unable to register control with rootdse!
localPasskeyAuth: FALSE
lastOnlineAuth: 1722860790
lastOnlineAuthWithCurrentToken: 1722860790
localSmartcardAuth: FALSE
on the working system localSmartcardAuth is TRUE. Why would that be different?
```
From sbose@redhat.com :
```
if there is not Smartcard inserted and a different authentication method is used the localSmartcardAuth attribute is set to FALSE. The reason is that even if the KDC indicates that Smartcard based authentication (pkinit) is possible the pkinit plugin calls out callback only if a Smartcard or similar is present.
So we either have to find a way to see if the KDC offers pkinit or we should not overwrite localSmartcardAuth unconditionally.
```
- links to
-
RHBA-2024:139426
sssd update
