Am Thu, Sep 23, 2021 at 02:12:20PM -0400 schrieb Rob Crittenden via FreeIPA-users:
Radoslaw Kujawa via FreeIPA-users wrote:
> Hi.
>
> On 9/23/21 15:06, Sumit Bose via FreeIPA-users wrote:
>> Am Thu, Sep 23, 2021 at 12:33:25PM +0200 schrieb Radoslaw Kujawa via
>> FreeIPA-users:
>>
>> the keys are only derived form the certificate is the certificate can be
>> validated. Have you copied all needed CA certificates to the new machine
>> and made SSSD aware of it?
>>
>
> Indeed, it was a problem with validation. I've originally created a
> symlink from /etc/sssd/pki/sssd_auth_ca_db.pem to /etc/ipa/ca.crt .
> However, this resulted in SELinux denial:
>
> ----
> time->Thu Sep 23 15:35:28 2021
> type=AVC msg=audit(1632411328.296:280110): avc: denied { read } for
> pid=1555510 comm="p11_child" name="sssd_auth_ca_db.pem"
dev="nvme0n1p2"
> ino=421 scontext=system_u:system_r:sssd_t:s0
> tcontext=unconfined_u:object_r:sssd_conf_t:s0 tclass=lnk_file permissive=0
Hi,
it looks like SELinux does not link that a link is used here. Have you
tried if adding
pam_cert_db_path = /etc/ipa/ca.crt
to the [pam] section of sssd.conf (or as snippet in /etc/sssd/conf.d/)
works?
About using /etc/ipa/ca.crt. This file only contains the IPA CA
certificate, so it can only verify certificates issues by IPA. It might
be better to use /var/lib/ipa-client/pki/ca-bundle.pem which contains
all the CA certificates trusted by the IPA servers, see man
ipa-cacert-manage for details.
>
> After copying the certificate, instead of symlinking it,
> sss_ssh_authorizedkeys works correctly and reports public keys from
> certificates too.
>
> While here, I have a suggestion. Could ipa-client-install also add the
> CA certificate to sssd's PKI directory?
Feel free to open an RFE at
https://pagure.io/freeipa/new_issue
Currently the 'ipa-advise config-client-for-smart-card-auth' script adds
CA certificates to /etc/sssd/pki/sssd_auth_ca_db.pem.
HTH
bye,
Sumit
rob
>
> Currently to make this useful functionality work, manual intervention is
> necessary after running ipa-client-install (just having the cert in
> /etc/ipa/ca.crt is not enough for p11_child to perform validation).
>
> Best regards,
> Radoslaw
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
> Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure