Skip to content

sssd fails to parse user certificate #8177

New issue
New issue
Open
Open
sssd fails to parse user certificate#8177
Assignees
sumit-bose
@MadCatX

Description

@MadCatX
MadCatX
opened on Nov 10, 2025

I have been trying to set up sssd with my AD DC so that I could log into my Linux workstation with pam_sss. After some troubleshooting while trying to figure out why I would always get

Please insert smart card
Please (re)insert (different) Smartcard
Please (re)insert (different) Smartcard

Error messages I found this in the sssd_pam.log file

   *  (2025-11-10 18:18:47): [pam] [parse_p11_child_response] (0x4000): [CID#1] Found toke
n name [YubiKey PIV #27084174].
   *  (2025-11-10 18:18:47): [pam] [parse_p11_child_response] (0x4000): [CID#1] Found modu
le name [/usr/lib/libykcs11.so].
   *  (2025-11-10 18:18:47): [pam] [parse_p11_child_response] (0x4000): [CID#1] Found key 
id [01].
   *  (2025-11-10 18:18:47): [pam] [parse_p11_child_response] (0x4000): [CID#1] Found labe
l [X.509 Certificate for PIV Authentication].
   *  (2025-11-10 18:18:47): [pam] [parse_p11_child_response] (0x4000): [CID#1] Found cert
 [MIIGaDCCBFCgAwIBAgICEBAwDQYJKoZIhvcNAQELBQAwgYcxCzAJBgNVBAYTAkNaMQ8wDQYDVQQIDAZQcmFndWUx
DzANBgNVBAcMBlByYWd1ZTElMCMGA1UECgwcVERDIChJTlRFUk5BTCBDQSAtIEtlcmJlcm9zKTEPMA0GA1UEAwwGdG
RjLmN6MR4wHAYJKoZIhvcNAQkBFg9vdmVybG9yZEB0ZGMuY3owHhcNMjUxMTA0MDkzOTU1WhcNMjYxMTA0MDkzOTU1
WjBVMQswCQYDVQQGEwJDWjEPMA0GA1UECAwGUHJhZ3VlMSUwIwYDVQQKDBxUREMgKElOVEVSTkFMIENBIC0gS2VyYm
Vyb3MpMQ4wDAYDVQQDDAVtbWFseTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKsMM4J0DtpbWs3Tb30z
Yp196ngojogjbQpbaUqXgJNqkzSe7nnzVA1R1LUYWdONFkstbsL3zRCDYckURp0XaSnJ/YgsPRwVVgJdtfdwZ/smpn
MSmTmGJ+U9Kk3i6G02uOqOR/B+PllrtUdRkThVs4s477K5wxAUkMZCcrJzva8ElSw2L9oo9/G1j/1qVhuEB3CbkyHe
Nxk13ibeTrpUWPaylvMm+WWHcjfmFh0HrNG2vFCMFAp3gbso62ulaX8c/RYMLUvA0owS50oYDRu91rQOEP81BzzggG
mspLpCtQjIjPCZd+57sc9v5DPFvXqTjcdjnvmgyZCjtyevLoR60MpFHCH9hwXDjtPJWjDdMplwI3fUZT4JkCk12tL2
W7FznUQJxEItACCJ210HvtBcZzjowgjODs5U8lCL2gy/iYO15TiCd4NgmycGbHOymqO5pbxFXcwzUgOBxtoLCSp8el
SsCgyqjWKbpaUkTddpI24Fz7rpUKFtufkdsQuf/H2smKQqikfIcX8ogm+1uAlZr4Jq00S2Po49CcAR4ffgqzlP0cF9
pSJILvIp1+PmaE9KUpdB8aZ7RM41/KTKS4NMSvflO/Dd5sqaKfa46nqgTJPj6M2PoMbcykVT+d9J0ZRjQGC1mJkPIK
zkoO1aucB0MMV+LHWeBm/b6u4fMaZ7tpBFAgMBAAGjggENMIIBCTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAo
BgNVHSUEITAfBggrBgEFBQcDAgYKKwYBBAGCNxQCAgYHKwYBBQIDBDBPBgNVHREESDBGoBwGCisGAQQBgjcUAgOgDg
wMbW1hbHlAVERDLkNaoCYGBisGAQUCAqAcMBqgCAwGVERDLkNaMA6gAwIBATAHDAVtbWFseTAdBgNVHQ4EFgQUs/Vs
oh1FuA1DS63z5M29xeEKkVAwHwYDVR0jBBgwFoAUENjZrasoSXQ4D7AGunGESYV6T9IwMQYDVR0fBCowKDAmoCSgIo
YgaHR0cHM6Ly9jYS50ZGMuY3ova3JiLWNhLmNybC5wZW0wDQYJKoZIhvcNAQELBQADggIBAG1HHcWk/ZQb9i7mQSow
vsheUXvWCpcKfBN4aLlCvR9bazXpLO179PPzQl1o5q/MkpF3cWTvDSfD2E7/0e9f3jc+6FH0BozG0Gny5E0ENlxB9i
hSq92CB8nA8cRUTlYjoJzB8KHUGqjdDKuqeKL9yN4OpHofUeGXBNM9yOMo1G3douKuZP5lJhl4SR+d8kv8SSBebrXX
qq+z0ov51Kn/at456U4rcGck0RMWnmMrgB8CKi/bmRCxBcuMeqrOJChoY/TDDnPIBmV8lSkDDE2L8tBRg1am3YI3XxtgNmamkYRnlSkUru4/utbWC8RZah5XJrRbRbYMYTsgEbzYfVdL7L65VyXZUYfxGVLMn7+G9oovs1/DYeHZG+ibh31ngPFIYi/ne8HokUbs8tLNnMPs2n6J+XzXoHwNyHjWPNHcGpKESgZOdhjarWvg370UdcBK+H0h6ix/dUoMtcVeGp5KmEjNbTDljZ6VxdjFSMIgEOzJYuUgOTf9pqkgUWMuzijVmSlpUNruK36Yg6PF3bZP5zYO550qHtBszARFbID7StB2yqQjaAZVYiOeNqxgCfjkeQcMJ8nB4YJRrSmv+1M3Y7ITr3PoCLrrnr1ezQ/lJE68xruXtMZ22mEuvHCGsgNUpFnwPYpW8P0zpox2JA6GyHorMA68FJvuixynctzf4E1F].
   *  (2025-11-10 18:18:47): [pam] [sss_certmap_match_cert] (0x0040): [CID#1] Failed to get certificate content.
********************** BACKTRACE DUMP ENDS HERE *********************************

Trying to run the certificate through sssctl cert-show results in

[sssd] [sssctl_cert_show] (0x0010): Failed to parsed certificate.

The certificate is on a Yubikey and it works perfectly fine on Windows workstations or with raw kinit. OpenSSL also parses the certificate without any issue. What could be wrong here?

EDIT:
My sssd version is 2.11.1 as packaged by Arch Linux

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions