View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000698||Rocky-Linux-9||krb5||public||2022-11-07 17:21||2022-11-07 17:21|
|Reporter||Stephen Berg||Assigned To|
|OS||Rocky Linux||OS Version||9.0|
|Summary||0000698: krb5-pkinit package prevents smartcard authentication|
|Description||If the krb5-pkinit package is installed on 9.0 using a smartcard to authenticate at the console or gdm fails. Once that package is removed smartcard auth functions as expected.|
|Steps To Reproduce||- Install 9.0|
- install and configure sssd to bind to a freeipa domain
- krb5-pkinit is installed as a dependency of krb5-workstation
- attempt to authenticate using smartcard (in my case a DOD Common Access Card)
|Additional Information||Smartcard authentication fails at every attempt using the console or gdm. If I login with password the smartcard does work for authenticating to websites and other services so I'm confident that using the smartcard itself is not the problem.|
Running "rpm --erase --nodeps krb5-pkinit" seems to fix this problem. Authenticating starts working immediately. Under 8.6 I was able to remove krb5-pkinit without any other packages being removed. But under 9.0 it wants to remove:
So I choose to just remove the one package using rpm since the ipa-client is definitely needed.
I'm not sure if this is an actual bug or misconfiguration. I could be missing some setting that would allow krb5-pkinit to be installed but not interfere with smartcard authentication.
|Tags||No tags attached.|