[Bug 2109673] Re: Authentication with smartcard is not working with apparmor DENIED
Andreas Hasenack
2109673 at bugs.launchpad.net
Wed Jul 2 12:22:03 UTC 2025
We don't need to worry about oracular anymore, as it will be EOL in a
few days. But plucky yes, and of course questing.
Right now, this should be tested in questing first, as that is the
current development release and we need to fix it ahead of the upcoming
updates for the stable release. Can you test this change in questing?
** Changed in: sssd (Ubuntu Oracular)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2109673
Title:
Authentication with smartcard is not working with apparmor DENIED
Status in sssd package in Ubuntu:
Confirmed
Status in sssd source package in Focal:
Won't Fix
Status in sssd source package in Jammy:
Confirmed
Status in sssd source package in Noble:
Confirmed
Status in sssd source package in Oracular:
Won't Fix
Status in sssd source package in Plucky:
Confirmed
Status in sssd source package in Questing:
Confirmed
Bug description:
[Impact]
Hello
one of our customer wanted to use smartcard as a authentication device in sssd & windows AD environment.
But they can't do it because of apparmor DENIED.
In the beginning they only mentioned
/etc/sssd/pki/ and /etc/sssd/pki/** r, also doc [1] mentioned the guide. so I only mentioned it here. After that, the customer added contents more they faced apparmor DENIED.
Then I thought I needed a reproducer about this. so I ordered Yubikey 5 NFC which supports the PIV Smart Card. and tried to reproduce this with Fabio's reproducer.
Then I can reproduce this.
But the symptom the customer encountered and I saw is a little bit
different. so I would like to ask you to have a discussion further.
Please refer to Test Case section.
[1] https://manpages.ubuntu.com/manpages/noble/man5/sssd.conf.5.html
[Test Case]
1. Deploy Windows Server and enable AD
2. refered to this.
- https://pastebin.canonical.com/p/tqNZ2435yC/
First, I got DENIED like belows.( /etc/sssd/pki/ and /etc/sssd/pki/**
r not included but it affects)
Jun 1 23:27:52 seyeongkim kernel: [ 424.733567] audit: type=1400 audit(1748820472.096:99): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/proc/12852/cmdline" pid=858 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 1 23:28:04 seyeongkim kernel: [ 437.104690] audit: type=1400 audit(1748820484.468:100): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 1 23:28:04 seyeongkim sssd[12855]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release
Jun 1 23:28:04 seyeongkim kernel: [ 437.106850] audit: type=1400 audit(1748820484.472:101): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 1 23:28:17 seyeongkim sssd[12856]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release
Jun 1 23:28:17 seyeongkim kernel: [ 449.783639] audit: type=1400 audit(1748820497.148:102): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 1 23:28:17 seyeongkim kernel: [ 449.784694] audit: type=1400 audit(1748820497.148:103): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
then I added them to apparmor profile
/etc/sssd/pki/ r,
/etc/sssd/pki/** r,
@{PROC}/[0-9]*/cmdline r,
/usr/share/p11-kit/modules/ r,
/usr/share/p11-kit/modules/** r,
/etc/ssl/openssl.cnf r,
But I encountered the other DENIEDs ( I could use auth with smartcard
this point )
Jun 1 23:57:42 seyeongkim kernel: [ 2215.357322] audit: type=1400 audit(1748822262.770:188): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 1 23:57:42 seyeongkim kernel: [ 2215.357860] audit: type=1400 audit(1748822262.770:189): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 1 23:57:42 seyeongkim kernel: [ 2215.359017] audit: type=1400 audit(1748822262.770:190): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/opensc/opensc.conf" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jun 1 23:57:42 seyeongkim kernel: [ 2215.363484] audit: type=1400 audit(1748822262.774:191): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
Jun 1 23:57:42 seyeongkim kernel: [ 2215.363606] audit: type=1400 audit(1748822262.774:192): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0
/run/pcscd/* wr,
/etc/machine-id r,
/etc/opensc/opensc.conf r,
With recent test, I collected net_admin DENIED which is the customer reported as well.
Jun 23 04:02:18 jammy kernel: [ 5192.259462] audit: type=1400 audit(1750651338.792:71): apparmor="DENIED" operation="capable" profile="/usr/sbin/sssd" pid=1780 comm="krb5_child" capability=12 capname="net_admin"
For me, above was the reproducer but the customer mentioned that they
need to add belows by testing.
capability net_admin,
/etc/sssd/pki/ r,
/etc/sssd/pki/** r,
/usr/share/p11-kit/modules/ r,
/usr/share/p11-kit/modules/* r,
/run/pcscd/* wr,
/etc/machine-id r,
/etc/opensc/opensc.conf r,
[Where problems could occur]
TBD
[Others]
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2109673/+subscriptions
More information about the Ubuntu-sponsors
mailing list