[Freeipa-users] Re: Explanation on how Smartcard Authentication works with all it's componants.

Note: When you need to use PKINIT, set it as a default authentication type, that's why it kept failing :|

On 1/26/23 07:54, r0nam1 wrote: > >1. The Certificate On My Yubikey was issued by the IPA server CA, >since it's my domain controller it makes sense to keep it the CA. > >2. I don't use mapping rules and matching rules, and I went through >a WHOLE PROCESS to get the 'clientAuth' key on my cert. > >3. On my IPA Server it gives 'PKINIT is enabled >The ipa-pkinit-manage command was successful' > > >On 1/25/23 23:07, Florence Blanc-Renaud wrote: >>Hi, >> >>On Wed, Jan 25, 2023 at 10:04 PM r0nam1 via FreeIPA-users >><freeipa-users(a)lists.fedorahosted.org> wrote: >> >> Noted, I'll hit 'reply-all' from now on. >> >> Looking over those links you sent me, I've decided to: >> >> - Ran 'ipa user-show $user' and verified the certificate returned >> >> - Ran 'ipa certmap-match cert.pem' on an extracted certificate >> that is also on the SmartCard, it returned my user. >> >> - Ran 'kinit' and it reacted to my smartcard being present, >> asking for a PIN along with my username being displayed, giving >> the default pin of '123456' it returned an error I haven't been >> able to decipher yet: >> >> '*kinit: KDC policy rejects request while getting initial >> credentials*' >> >> I think this is the current blocking point in the authentication >> process, any ideas what it fully means? My google-fu has failed >> me here. >> >>There are a few additional things to check. >>1. Was the certificate on your smart card issued by IPA CA or by a >>different CA? If it was issued by a different CA, this CA must be >>trusted and this is achieved by running the preparation steps for >>the server: >>kinit admin >>ipa-advise config-server-for-smart-card-auth > >>config-server-for-smart-card-auth.sh >>chmod +x config-server-for-smart-card-auth.sh >>./config-server-for-smart-card-auth.sh issuingca.pem >> >>Do not forget to execute ipa-certupdate on all IPA machines >>(server, replica, clients). >> >>2. If you don't use mapping rules and matching rules, the default >>applies and SSSD ensures that the certificate from the smart card >>contains the Extended Key Usage “clientAuth”. Does you certificate >>have this EKU? >> >>3. Is the ipa server properly configured for pkinit? What is the >>output of >>ipa-pkinit-manage status >> >>flo >> >> >> On 1/25/23 12:39, Rob Crittenden wrote: >>> r0nam1 wrote: >>>> So far it's a lot of 'I thinks'. I think I've configured OpenSC and >>>> pcscd correctly, I think I've configured SSSD correctly, and I think >>>> I've configured PAM correctly, if you can give me a list of relevant >>>> logs or test commands (Even full directory's of logs) I'll do what I can. >>> Please keep responses on the list. >>> >>> The log to see depends on the behavior. >>> >>> Some additional readings (some are rather old but still relevant): >>> >>> https://floblanc.wordpress.com/?s=smart >>> https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-... >>> >>> rob >>> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-leave(a)lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >>

_______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue