Progress, but still not using the smartcard and falling back to the password.

I changed to change the pam_sss line in common-auth too:

auth    [default=1 success=ok]          pam_localuser.so
auth [success=2 default=ignore] pam_unix.so nullok_secure
#auth [success=1 default=ignore] pam_sss.so use_first_pass
auth    sufficient                      pam_sss.so forward_pass

Now p11_child is called, but doesn't validate the certificate.  On Fedora the final line in p11_child.log is "Ceritificate verified and validated".  On Ubuntu that line is missing.

The root certificate is in the certdb.  (certutil -d /etc/pki/nssdb -L).

Is there a way to do what p11_child does from the command line or with better logging so I can what it doesn't like?  I have debug_level = 9 on everything at the moment.

Thanks,
Steve


On Thu, Sep 28, 2017 at 12:43 PM, Sumit Bose <sbose@redhat.com> wrote:
On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote:
> In all cases on both system pam_unix comes before pam_sss.  For example in
> Fedora system-auth it is:

On recent Fedora systems you should have

auth        [default=1 success=ok] pam_localuser.so

before the lines below. This will call pam_unix only for users from
/etc/passwd and skip the line it otherwise (default=1). Maybe something
like this would help on Ubuntu as well?

bye,
Sumit

>
> auth        [success=done ignore=ignore default=die] pam_unix.so nullok
> try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
> auth        sufficient    pam_sss.so forward_pass
>
> and in Ubuntu common-auth it is:
>
> auth [success=2 default=ignore] pam_unix.so nullok_secure
> auth [success=1 default=ignore] pam_sss.so use_first_pass
>
> I tried reversing the lines and get a pam error about user not know (it is
> an AD user which works fine on fedora).
>
> Also, it looks like pam_pkcs11.so is used in smartcard-auth on Fedora.
> Don't know if this is relevant or not.
>
> Steve
>
>
> On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
> > On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via FreeIPA-users
> > wrote:
> > > We have smartcards (PIV) working just fine on Fedora 25 with FreeIPA
> > client
> > > version 4.4.4 (SSSD 1.14.2).  However on Ubuntu 16.04, FreeIPA client
> > > 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
> > >
> > > The smartcard is readable using pkcs11-tools and pkcs15-tools on both
> > > systems.
> > >
> > > On both systems sssd.conf contains:
> > > [pam]
> > > pam_cert_auth = True
> > >
> > > I've turned the sssd logging up to 9 on both systems and it looks like
> > > p11_child is never called on the Ubuntu system.  On the Ubuntu system
> > > p11_child.log is empty and there is no sign of it being started in the
> > > sssd_pam.log.
> > >
> > > Any suggestions on what I should look at next?
> >
> > How does your PAM configuration looks like? You have to make sure that
> > pam_sss.so is the first module called for SSSD users. If pam_unix comes
> > first it will ask for a Password and pass it on to pam_sss.so which will
> > try password authentication in this case.
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> > >
> > > Thanks,
> > > Steve
> >
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > To unsubscribe send an email to freeipa-users-leave@lists.
> > fedorahosted.org
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> >