[Bug 2109673] Please test proposed package
Nick Rosbrook
2109673 at bugs.launchpad.net
Wed Aug 20 18:38:09 UTC 2025
Hello Seyeong, or anyone else affected,
Accepted sssd into jammy-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/sssd/2.6.3-1ubuntu3.6
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed. Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
jammy to verification-done-jammy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-jammy. In either case, without details of your testing we will
not be able to proceed.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance for helping!
N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.
--
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2109673
Title:
Authentication with smartcard is not working with apparmor DENIED
Status in sssd package in Ubuntu:
Fix Released
Status in sssd source package in Focal:
Won't Fix
Status in sssd source package in Jammy:
Fix Committed
Status in sssd source package in Noble:
Fix Committed
Status in sssd source package in Oracular:
Won't Fix
Status in sssd source package in Plucky:
Fix Committed
Status in sssd source package in Questing:
Fix Released
Bug description:
[Impact]
Hello
One of our customers attempted to use a smartcard for authentication
in an sssd & Windows AD environment, but encountered apparmor denials
that prevented it from working properly. They use enforce mode for
apparmor
In the beginning they only mentioned
/etc/sssd/pki/ and /etc/sssd/pki/** r, also doc [1] mentioned the guide. so I only mentioned it here. After that, the customer added contents more they faced apparmor DENIED.
Then I thought I needed a reproducer about this. so I ordered Yubikey 5 NFC which supports the PIV Smart Card. and tried to reproduce this with Fabio's reproducer.
Then I can reproduce this.
But the symptom the customer encountered and I saw is a little bit
different. so I would like to ask you to have a discussion further.
Please refer to Test Case section.
[1] https://manpages.ubuntu.com/manpages/noble/man5/sssd.conf.5.html
[Test Case]
* Windows
1. Deploy Windows Server and enable AD & CA
2. Create User Seyeong
* Ubuntu
0. You need PIV auth support smartcard
1. sudo apt install libpam-sss opensc-pkcs11 pcscd libpam-pkcs11 sssd opensc sssd-dbus sssd-tools sssd-ad realmd adcli libpam-sss opensc-pkcs11 pcscd libpam-pkcs11 sssd opensc sssd-dbus sssd-tools yubico-piv-tool libengine-pkcs11-openssl libp11-3 opensc libssl-dev yubikey-manager ykcs11 yubico-piv-tools -y
2. # later than Oracular
sudo apt install krb5-pkinit -y
3. make sure dns is working
4. check realm
- sudo realm -v discover WIN-E7RF5O29H6J.seyeong.kim
- sudo realm -v join WIN-E7RF5O29H6J.seyeong.kim
5. create CSR with smartcard ( create openssl.cnf with keyUsage, extendedKeyUsage, subjectAltName with UPN )
ykman piv reset -f
yubico-piv-tool -a generate -s 9a -A RSA2048
export PKCS11_MODULE_PATH=/usr/lib/x86_64-linux-gnu/libykcs11.so
openssl req -engine pkcs11 -keyform engine -new -key "pkcs11:object=Private key for PIV Authentication;type=private;pin-value=123456" -config openssl.cnf -reqexts v3_req -out seyeongkim.csr -multivalue-rdn
cat seyeongkim.csr
> openssl.cnf
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = v3_req
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
CN = Seyeong Kim
OU = Users
0.DC = kim
1.DC = seyeong
[ v3_req ]
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
subjectAltName = @alt_names
[ alt_names ]
otherName = 1.3.6.1.4.1.311.20.2.3;UTF8:seyeong at seyeong.kim
* Windows
1. copy the CSR to Windows and approve it. then download it
* Ubuntu
1. convert der to pem
- openssl x509 -in seyeongkim.der -out seyeongkimissued.pem -outform pem
2. import cert to smartcard
yubico-piv-tool -a import-certificate -s 9a -i seyeongkimissued.pem
3. check if it is the same.
pkcs15-tool --read-certificate 1 > card-cert.pem
openssl x509 -text -noout -in card-cert.pem
4. convert ca cert der to pem.
openssl x509 -in certnew.der -out cacert.crt -outform pem
5. setup ca cert in Ubuntu
sudo rm /usr/local/share/ca-certificates/cacert.crt
sudo rm /etc/ssl/certs/cacert.pem
sudo cp cacert.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
6. setup cert for sssd
mkdir -p /etc/sssd/pki/
sudo rm /etc/sssd/pki/sssd_auth_ca_db.pem
sudo touch /etc/sssd/pki/sssd_auth_ca_db.pem
cat cacert.crt | sudo tee -a /etc/sssd/pki/sssd_auth_ca_db.pem
7. verification for setup
openssl verify -verbose card-cert.pem
openssl verify -verbose -CAfile /etc/sssd/pki/sssd_auth_ca_db.pem card-cert.pem
systemctl restart sssd
sudo dbus-send --system --print-reply
--dest=org.freedesktop.sssd.infopipe
/org/freedesktop/sssd/infopipe/Users
org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat
card-cert.pem)" uint32:10
8. use enforce mode for apparmor
9. setup sssd, krb5, pam
- for sssd, setup it to support smartcard. matching by cert CN
-- please refer to below example
[pam]
pam_cert_auth = True
pam_cert_db_path = /etc/sssd/pki/sssd_auth_ca_db.pem
pam_verbosity = 2
[certmap/seyeong.kim/Seyeong]
matchrule = <SUBJECT>^CN=Seyeong.*$
maprule = (userCertificate;binary={cert!bin})
[sssd]
domains = seyeong.kim
config_file_version = 2
services = nss, pam
default_domain_suffix = seyeong.kim
[domain/seyeong.kim]
default_shell = /bin/bash
ad_server = win-e7rf5o29h6j.seyeong.kim
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = SEYEONG.KIM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = seyeong.kim
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
ldap_user_certificate = userCertificate
ldap_user_search_base = DC=seyeong,DC=kim
- for krb5, add AD info
-- please refer to below example
[libdefaults]
udp_preference_limit = 0
default_realm = SEYEONG.KIM
pkinit_anchors = FILE:/etc/sssd/pki/sssd_auth_ca_db.pem
pkinit_kdc_hostname = WIN-E7RF5O29H6J.seyeong.kim
pkinit_eku_checking = none
#rdns = false
#dns_lookup_realm = false
[domain_realm]
[plugins]
localauth = {
module = sssd:/usr/lib/x86_64-linux-gnu/sssd/modules/sssd_krb5_localauth_plugin.so
}
- for pam, add "auth ... pam_sss.so try_cert_auth" for sssd checking
-- add below line to /etc/pam.d/common-auth
auth [success=3 default=ignore] pam_sss.so try_cert_auth allow_missing_name
10. su - Seyeong ( login Seyeong under Oracular )
Expected:
# su - Seyeong
PIN for Seyeong Kim:
Actual:
No PIN prompt and skip PIV authentication.
[Where problems could occur]
This change grants additional read and write access to files required for smartcard-based authentication,
such as /etc/sssd/pki/, /etc/machine-id, and /{,var/}run/pcscd/pcscd.comm. These files are essential
for establishing trust chains, retrieving system identity, and enabling communication with the pcscd daemon.
While these permissions are necessary for correct functionality, especially when using hardware-backed
PIV smartcards with sssd, they may broaden the attack surface if misused.
Therefore, these additions should be reviewed under strict confinement principles, ensuring they are only
granted to trusted components such as sssd and its helper processes.
[Others]
Related logs below
First, I got DENIED like belows.( /etc/sssd/pki/ and /etc/sssd/pki/**
r not included but it affects)
Jun 1 23:27:52 seyeongkim kernel: [ 424.733567] audit: type=1400 audit(1748820472.096:99): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/proc/12852/cmdline" pid=858 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 1 23:28:04 seyeongkim kernel: [ 437.104690] audit: type=1400 audit(1748820484.468:100): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 1 23:28:04 seyeongkim sssd[12855]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release
Jun 1 23:28:04 seyeongkim kernel: [ 437.106850] audit: type=1400 audit(1748820484.472:101): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 1 23:28:17 seyeongkim sssd[12856]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release
Jun 1 23:28:17 seyeongkim kernel: [ 449.783639] audit: type=1400 audit(1748820497.148:102): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 1 23:28:17 seyeongkim kernel: [ 449.784694] audit: type=1400 audit(1748820497.148:103): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
then I added them to apparmor profile
/etc/sssd/pki/ r,
/etc/sssd/pki/** r,
@{PROC}/[0-9]*/cmdline r,
/usr/share/p11-kit/modules/ r,
/usr/share/p11-kit/modules/** r,
/etc/ssl/openssl.cnf r,
But I encountered the other DENIEDs ( I could use auth with smartcard
this point )
Jun 1 23:57:42 seyeongkim kernel: [ 2215.357322] audit: type=1400 audit(1748822262.770:188): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 1 23:57:42 seyeongkim kernel: [ 2215.357860] audit: type=1400 audit(1748822262.770:189): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 1 23:57:42 seyeongkim kernel: [ 2215.359017] audit: type=1400 audit(1748822262.770:190): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/opensc/opensc.conf" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 1 23:57:42 seyeongkim kernel: [ 2215.363484] audit: type=1400 audit(1748822262.774:191): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Jun 1 23:57:42 seyeongkim kernel: [ 2215.363606] audit: type=1400 audit(1748822262.774:192): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
/run/pcscd/* wr,
/etc/machine-id r,
/etc/opensc/opensc.conf r,
With recent test, I collected net_admin DENIED which is the customer reported as well.
Jun 23 04:02:18 jammy kernel: [ 5192.259462] audit: type=1400 audit(1750651338.792:71): apparmor="DENIED" operation="capable" profile="/usr/sbin/sssd" pid=1780 comm="krb5_child" capability=12 capname="net_admin"
For me, above was the reproducer but the customer mentioned that they
need to add belows by testing.
capability net_admin, // removed in code
/etc/sssd/pki/ r,
/etc/sssd/pki/** r,
/usr/share/p11-kit/modules/ r,
/usr/share/p11-kit/modules/* r,
/run/pcscd/* wr, // /{,var/}run/pcscd/pcscd.comm rw, changed
/etc/machine-id r,
/etc/opensc/opensc.conf r,
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2109673/+subscriptions
More information about the Ubuntu-sponsors
mailing list