On Fri, Nov 09, 2018 at 01:05:19PM +0100, Natxo Asenjo via FreeIPA-users wrote:
> hi Sumit,
>
>
> On Fri, Nov 9, 2018 at 12:53 PM Sumit Bose via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
> >
> > I would suggest to first check if SSSD can see the certificate as well.
> > For this please call:
> >
> >     /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb
> > --pre
> >
> > At the end you should see the base64 enoded certificate with some other
> > Smartcard details. If not the debug output might help to figure out why
> > the certificate was not found.
>
>
>
> ok, it does not see anything:
> $ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb
> --pre

Ah, sorry, I forgot you use F29. On F29 SSSD does not use NSS anymore. Please add your CA
certificates in PEM format to /etc/sssd/pki/sssd_auth_ca_db.pem and call

    /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --pre

again. Please check man sssd.conf and search for 'openssl' to see the
differences between the NSS and OpenSSL version.

HTH