Note: When you need to use PKINIT, set it as a default authentication
type, that's why it kept failing :|
On 1/26/23 07:54, r0nam1 wrote:
1. The Certificate On My Yubikey was issued by the IPA server CA,
since it's my domain controller it makes sense to keep it the CA.
2. I don't use mapping rules and matching rules, and I went through a
WHOLE PROCESS to get the 'clientAuth' key on my cert.
3. On my IPA Server it gives 'PKINIT is enabled
The ipa-pkinit-manage command was successful'
On 1/25/23 23:07, Florence Blanc-Renaud wrote:
> Hi,
>
> On Wed, Jan 25, 2023 at 10:04 PM r0nam1 via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org> wrote:
>
> Noted, I'll hit 'reply-all' from now on.
>
> Looking over those links you sent me, I've decided to:
>
> - Ran 'ipa user-show $user' and verified the certificate returned
>
> - Ran 'ipa certmap-match cert.pem' on an extracted certificate
> that is also on the SmartCard, it returned my user.
>
> - Ran 'kinit' and it reacted to my smartcard being present,
> asking for a PIN along with my username being displayed, giving
> the default pin of '123456' it returned an error I haven't been
> able to decipher yet:
>
> '*kinit: KDC policy rejects request while getting initial
> credentials*'
>
> I think this is the current blocking point in the authentication
> process, any ideas what it fully means? My google-fu has failed
> me here.
>
> There are a few additional things to check.
> 1. Was the certificate on your smart card issued by IPA CA or by a
> different CA? If it was issued by a different CA, this CA must be
> trusted and this is achieved by running the preparation steps for the
> server:
> kinit admin
> ipa-advise config-server-for-smart-card-auth >
> config-server-for-smart-card-auth.sh
> chmod +x config-server-for-smart-card-auth.sh
> ./config-server-for-smart-card-auth.sh issuingca.pem
>
> Do not forget to execute ipa-certupdate on all IPA machines (server,
> replica, clients).
>
> 2. If you don't use mapping rules and matching rules, the default
> applies and SSSD ensures that the certificate from the smart card
> contains the Extended Key Usage “clientAuth”. Does you certificate
> have this EKU?
>
> 3. Is the ipa server properly configured for pkinit? What is the
> output of
> ipa-pkinit-manage status
>
> flo
>
>
> On 1/25/23 12:39, Rob Crittenden wrote:
>> r0nam1 wrote:
>>> So far it's a lot of 'I thinks'. I think I've configured
OpenSC and
>>> pcscd correctly, I think I've configured SSSD correctly, and I think
>>> I've configured PAM correctly, if you can give me a list of relevant
>>> logs or test commands (Even full directory's of logs) I'll do
what I can.
>> Please keep responses on the list.
>>
>> The log to see depends on the behavior.
>>
>> Some additional readings (some are rather old but still relevant):
>>
>>
https://floblanc.wordpress.com/?s=smart
>>
https://frasertweedale.github.io/blog-redhat/posts/2016-08-12-yubikey-sc-...
>>
>> rob
>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam, report it:
>
https://pagure.io/fedora-infrastructure/new_issue
>