View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000698 | Rocky-Linux-9 | krb5 | public | 2022-11-07 17:21 | 2022-11-07 17:21 |
| Reporter | Stephen Berg | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| OS | Rocky Linux | OS Version | 9.0 | ||
| Summary | 0000698: krb5-pkinit package prevents smartcard authentication | ||||
| Description | If the krb5-pkinit package is installed on 9.0 using a smartcard to authenticate at the console or gdm fails. Once that package is removed smartcard auth functions as expected. | ||||
| Steps To Reproduce | - Install 9.0 - install and configure sssd to bind to a freeipa domain - krb5-pkinit is installed as a dependency of krb5-workstation - attempt to authenticate using smartcard (in my case a DOD Common Access Card) | ||||
| Additional Information | Smartcard authentication fails at every attempt using the console or gdm. If I login with password the smartcard does work for authenticating to websites and other services so I'm confident that using the smartcard itself is not the problem. Running "rpm --erase --nodeps krb5-pkinit" seems to fix this problem. Authenticating starts working immediately. Under 8.6 I was able to remove krb5-pkinit without any other packages being removed. But under 9.0 it wants to remove: ipa-client krb5-workstation ipa-client-common ipa-common ipa-selinux oddjob-mkhomedir python3-augeas python3-decorator python3-dns python3-gssapi python3-ipaclient python3-ipalib python3-jwcrypto python3-ldap python3-libipa_hbac python3-netifaces python3-pyasn1 python3-pyasn1-modules python3-pyusb python3-qrcode-core python3-sss python3-sss-murmur python3-sssdconfig python3-systemd python3-yubico sssd-dbus sssd-tools So I choose to just remove the one package using rpm since the ipa-client is definitely needed. I'm not sure if this is an actual bug or misconfiguration. I could be missing some setting that would allow krb5-pkinit to be installed but not interfere with smartcard authentication. | ||||
| Tags | No tags attached. | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2022-11-07 17:21 | Stephen Berg | New Issue |
