On Thu, Nov 15, 2018 at 1:43 PM Sumit Bose <sbose@redhat.com> wrote:

The pkinit plugin cannot find a valid certificate 'PKINIT client has no
configured identity; giving up'.

One reason (and that's why I ask for the advise script) are missing CA
certificates. Do you have something like

  pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
  pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem


yes, in the  krb5.conf file I see:
[realms]
  SUB.DOMAIN.TLD = {
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem

  }

and the files look ok.

in the section from the SUB.DOMAIN.TLD realm or in the [libdefaults]
section? Those files should contain the IPA CA certificates so that the
KDC certificate can be validated and the CA certificates of the issuer
of the certificate from the Smartcard.

Additionally please check if there are SELinux AVCs which might indicate
that krb5_child is not allowed to read the files with the CA
certificates.

If the CA certificates are available calling

   KRB5_TRACE=/dev/stdout kinit -X 'X509_user_identity=PKCS11:module_name=/usr/lib64/pkcs11/opensc-pkcs11.so:token=userxx:certid=01 userxx@SUB.DOMAIN.TLD

I should have thought of this myself. A little modification showed one problem (running your command would not prompt for the pin in the card):

$ KRB5_TRACE=/dev/stdout kinit -X X509_user_identity='PKCS11:opensc-pkcs11.so'
[7385] 1542287227.941537: Getting initial credentials for user@SUB.DOMAIN.TLD
[7385] 1542287227.941539: Sending unauthenticated request
[7385] 1542287227.941540: Sending request (184 bytes) to SUB.DOMAIN.TLD
[7385] 1542287227.941541: Initiating TCP connection to stream kdc1:88
[7385] 1542287227.941542: Sending TCP request to stream kdc1:88
[7385] 1542287227.941543: Received answer (300 bytes) from stream kdc1:88
[7385] 1542287227.941544: Terminating TCP connection to stream kdc1:88
[7385] 1542287227.941545: Response was from master KDC
[7385] 1542287227.941546: Received error from KDC: -1765328359/Additional pre-authentication required
[7385] 1542287227.941549: Preauthenticating using KDC method data
[7385] 1542287227.941550: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-PK-AS-REQ_OLD (14), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA-FX-COOKIE (133)
[7385] 1542287227.941551: Selected etype info: etype aes256-cts, salt ")9z]I\1%cH8C@<}B", params ""
[7385] 1542287227.941552: Received cookie: MIT
[7385] 1542287228.624131: Preauth module pkinit (147) (info) returned: 0/Success
user                           PIN:
[7385] 1542287231.885613: PKINIT error: There are 2 certs, but there must be exactly one.
[7385] 1542287231.885614: PKINIT client has no configured identity; giving up

I am testing with a yubikey wich has several slots, and apparently this is a problem with pkinit. Which is a pity, because the other certificate has a completely different cn subject and domain, so why it tries to use it is unclear.

So I removed the other certificate and now I can successfully kinit without the password prompt, but after kdestroy, rebooting and logging in again, I still don't have a ticket.

Nearly there.

This is the sssd.conf (maybe the error is in here):

[domain/sub.domain.tld]

id_provider = ipa
ipa_server = _srv_, kdc1.sub.domain.tld
ipa_domain = sub.domain.tld
ipa_hostname = myhost.sub.domain.tld
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
ldap_tls_cacert = /etc/ipa/ca.crt
dyndns_update = True
dyndns_iface = eno1
krb5_store_password_if_offline = True
debug_level = 9

[sssd]
services = nss, pam, ssh, sudo

domains = sub.domain.tld
[pam]
pam_cert_auth = True
[ssh]

[sudo]

And I see these selinux denies:

# ausearch -m AVC -ts recent
time->Thu Nov 15 14:55:43 2018
type=AVC msg=audit(1542290143.544:224): avc:  denied  { execute } for  pid=2035 comm="p11_child" path=2F746D702F6666694176784B6538202864656C6574656429 dev="tmpfs" ino=36791 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1
----
time->Thu Nov 15 14:56:10 2018
type=AVC msg=audit(1542290170.644:243): avc:  denied  { execute } for  pid=2960 comm="p11_child" path=2F746D702F6666696B77705A636C202864656C6574656429 dev="tmpfs" ino=47916 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:user_tmp_t:s0 tclass=file permissive=1



But even with selinux in enforcing mode, I can sucessfully get a ticket:

$ kdestroy
$ klist
klist: Credentials cache 'KCM:1006000001' not found
$ kinit -X 'X509_user_identity='PKCS11:opensc-pkcs11.so'
user                           PIN:
]$ klist
Ticket cache: KCM:1006000001
Default principal: user@SUB.DOMAIN.TLD

Valid starting     Expires            Service principal
15-11-18 15:08:16  16-11-18 15:08:10  krbtgt/SUB.DOMAIN.TLD@SUB.DOMAIN.TLD

When I sudo, and authenticate with a pin, I get a ticket for root in the context of my realm user. That works.

Any ideas?
--
Regards,
Natxo