On 5/12/20 10:08 PM, tom smith via FreeIPA-users wrote:
I did not run the script, because I had already done most of what is
in the script by the time I found it. I have imported all of the certificates into the
/etc/pki/nss database and I ran this command against my certificate.
Command: certutil -V -n 'mycertificate' -u CSR -l -a -d /etc/pki/nssdb, entered
my PIN and I got the output: certutil: certificate is valid. So, I believe that I added
all of the certificates to the system correctly.
I have removed pam_pkcs11 and installed krb5-pkinit-openssl. I enabled opensc using the
modutil command. When I run the command: modutil -list -dbdir /etc/pki/nssdb, I can see
my card reader and smart card.
I also ran the command: authconfig --enablesssd --enablesssdauth --enablesmartcard
--smartcardmodule=sssd --smartcardaction=1 --updateall, cleared the sss cache and rebooted
the system.
When the system reboots and I get to the GDM screen, I don't get asked for my PIN.
It reads my smart card and then says Sorry, that's didn't work. Please try
again.
Here is the log from sssd_pam:
(Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x4000): Found token
name [my_token_name].
(Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x4000): Found module
name [opensc-pkcs11.so].
(Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x4000): Found key id
[0001].
(Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x4000): Found label
[my_ID_Certificate].
(Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x4000): Found cert
["CERTIFICATE REMOVED"].
(Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x1000): Cert
["CERTIFICATE REMOVED"] does not match matching rules and is ignored.
Hi,
By default a client certificate needs to contain the Extended Key Usage
"clientAuth" (see the section related to "matchrule" in sssd.conf(5)).
You can check if your user certificate has this extension with:
$ openssl x509 -noout -text -in cert.pem
The output should contain something similar to :
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
HTH,
flo
(Tue May 12 19:28:03 2020) [sssd[pam]] [pam_forwarder_cert_cb]
(0x0020): No certificate found and no logon name given, authentication not possible.
I ran the command "ipa certmap-match mycertificate.pem: and it associated this
certificate with the correct AD account and AD domain.
Here is a copy of my SSSD config file:
[domain/idm.myhome.domain]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = idm.myhome.domain
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = idmsvr01.idm.myhome.domain
chpass_provider = ipa
ipa_server = idmsvr01.idm.myhome.domain
ipa_server_mode = True
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 9
krb5_auth_timeout = 60
ldap_user_certificate = userCertificate;binary
[sssd]
services = ifp, nss, sudo, pam, ssh
debug_level = 9
domains = idm.myhome.domain
certificate_verification = no_ocsp
[nss]
memcache_timeout = 600
homedir_substring = /home
debug_level = 9
[pam]
debug_level = 9
p11_child_timeout = 60
pam_cert_auth = True
[sudo]
debug_level = 9
[autofs]
debug_level = 9
[ssh]
debug_level = 9
[pac]
debug_level = 9
[ifp]
debug_level = 9
allowed_uids = ipaapi, root
[secrets]
debug_level = 9
[session_recording]
debug_level = 9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...