On Fri, Feb 01, 2019 at 02:20:21PM -0700, Orion Poplawski wrote:

I'm not having any luck using smart card auth on an IPA joined Ubuntu 18.04 system. It appears that pam is not properly configured, and in particular I don't see "allow_missing_name" in use:

/etc/pam.d/common-auth: auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_sss.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so

although if I add allow_missing_name to that line, it doesn't seem to help. I don't see any SSS_PAM_PREAUTH activity in the sssd_pam.log.

Any pointers?

I'm not the biggest expert in this area of sssd, but looking at the code, the preauth is sent if: - there is no password on the stack - the file /var/lib/sss/pubconf/pam_preauth_available exists

I guess the file would be easy to check, it should be created unconditionally with the IPA provider.

About the PAM stack, the way I read it, the password would always be read by the pam_unix.so module and the use_first_pass flag would always use that password.

On Fedora, the PAM stack is laid out a bit differently, pam_unix only reads the passwords if the user is a local one: auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so

I guess the easiest way to test if the PAM stack is the culprit would be to create a new PAM service: $ cat /etc/pam.d/sss_test auth required pam_sss.so

and then call: # sssctl user-checks -a auth -s sss_test $username

HTH