On Чт, 26 янв 2023, r0nam1 via FreeIPA-users wrote:
Note: When you need to use PKINIT, set it as a default authentication
type, that's why it kept failing :|
Actually, it is enough to enable it in the user account, not as a
default one. I'd recommend not enabling it globally if all accounts
wouldn't be using PKINIT.
Same applies to other authentication types.
On 1/26/23 07:54, r0nam1 wrote:
>
>1. The Certificate On My Yubikey was issued by the IPA server CA,
>since it's my domain controller it makes sense to keep it the CA.
>
>2. I don't use mapping rules and matching rules, and I went through
>a WHOLE PROCESS to get the 'clientAuth' key on my cert.
>
>3. On my IPA Server it gives 'PKINIT is enabled
>The ipa-pkinit-manage command was successful'
>
>
>On 1/25/23 23:07, Florence Blanc-Renaud wrote:
>>Hi,
>>
>>On Wed, Jan 25, 2023 at 10:04 PM r0nam1 via FreeIPA-users
>><freeipa-users(a)lists.fedorahosted.org> wrote:
>>
>> Noted, I'll hit 'reply-all' from now on.
>>
>> Looking over those links you sent me, I've decided to:
>>
>> - Ran 'ipa user-show $user' and verified the certificate returned
>>
>> - Ran 'ipa certmap-match cert.pem' on an extracted certificate
>> that is also on the SmartCard, it returned my user.
>>
>> - Ran 'kinit' and it reacted to my smartcard being present,
>> asking for a PIN along with my username being displayed, giving
>> the default pin of '123456' it returned an error I haven't been
>> able to decipher yet:
>>
>> '*kinit: KDC policy rejects request while getting initial
>> credentials*'
>>
>> I think this is the current blocking point in the authentication
>> process, any ideas what it fully means? My google-fu has failed
>> me here.
>>
>>There are a few additional things to check.
>>1. Was the certificate on your smart card issued by IPA CA or by a
>>different CA? If it was issued by a different CA, this CA must be
>>trusted and this is achieved by running the preparation steps for
>>the server:
>>kinit admin
>>ipa-advise config-server-for-smart-card-auth >
>>config-server-for-smart-card-auth.sh
>>chmod +x config-server-for-smart-card-auth.sh
>>./config-server-for-smart-card-auth.sh issuingca.pem
>>
>>Do not forget to execute ipa-certupdate on all IPA machines
>>(server, replica, clients).
>>
>>2. If you don't use mapping rules and matching rules, the default
>>applies and SSSD ensures that the certificate from the smart card
>>contains the Extended Key Usage “clientAuth”. Does you certificate
>>have this EKU?
>>
>>3. Is the ipa server properly configured for pkinit? What is the
>>output of
>>ipa-pkinit-manage status
>>
>>flo
>>
>>
>> On 1/25/23 12:39, Rob Crittenden wrote:
>>> r0nam1 wrote:
>>>> So far it's a lot of 'I thinks'. I think I've
configured OpenSC and
>>>> pcscd correctly, I think I've configured SSSD correctly, and I
think
>>>> I've configured PAM correctly, if you can give me a list of
relevant
>>>> logs or test commands (Even full directory's of logs) I'll do
what I can.
>>> Please keep responses on the list.
>>>
>>> The log to see depends on the behavior.
>>>
>>> Some additional readings (some are rather old but still relevant):
>>>
>>>
https://floblanc.wordpress.com/?s=smart
>>>
https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-...
>>>
>>> rob
>>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam, report it:
>>
https://pagure.io/fedora-infrastructure/new_issue
>>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland