I'm trying to setup smart card login into an AD user account using an ID Override on RHEL 7.8. I have been looking through Red Hat's documentation and its a bit confusing. I was wondering what is the proper way to export a certificate from my CAC PIV card ? I have been just exporting the certificate in PEM format from the ESC tool and importing it into IDM web GUI. But SSSD isn't able to associate the smart card with the AD user. When I run the ipa certmap-match command, it will match to the AD account that I configured with the ID Override. I was also wondering if I need pam_pkcs11 and pam_krb5 installed anymore ? When I uninstall pam_pkcs11, GDM doesn't prompt me for my smart card PIN. I was looking at the "config-client-for-smart-card-auth" script and it removes the pam_pkcs11 RPM, that's why I am asking.
On Mon, May 11, 2020 at 07:56:02PM -0000, David Woods via FreeIPA-users wrote:
I'm trying to setup smart card login into an AD user account using an ID Override on RHEL 7.8. I have been looking through Red Hat's documentation and its a bit confusing. I was wondering what is the proper way to export a certificate from my CAC PIV card ? I have been just exporting the certificate in PEM format from the ESC tool and importing it into IDM web GUI. But SSSD isn't able to associate the smart card with the AD user. When I run the ipa certmap-match command, it will match to the AD account that I configured with the ID Override. I was also wondering if I need pam_pkcs11 and pam_krb5
Hi,
a working 'ipa certmap-match' is a good first step, since this command will reach out to SSSD to do the mapping.
installed anymore ? When I uninstall pam_pkcs11, GDM doesn't
pam_pkcs11 and pam_krb5 are not needed anymore.
prompt me for my smart card PIN. I was looking at the "config-client-for-smart-card-auth" script and it removes the pam_pkcs11 RPM, that's why I am asking.
Did you run the script as well on the IPA client where you want to use Smartcard authentication? Besides removing pam_pkcs11 and pam_krb5 there are other important steps like adding CA certificate to /etc/pki/nssdb, reconfiguring PAM to use pam_sss instead of the other 2 pam modules, configuring SSSD to allow Smartcard authentication etc. So please run the script or, if you prefer, do the steps in the script manually.
If this still does not help, please add 'debug_level = 9' to the [pam] and [domain/...] sections of sssd.conf, restart SSSD, try again and send the SSSD logs and the pam related content from /var/log/secure from about the time of the test.
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I did not run the script, because I had already done most of what is in the script by the time I found it. I have imported all of the certificates into the /etc/pki/nss database and I ran this command against my certificate. Command: certutil -V -n 'mycertificate' -u CSR -l -a -d /etc/pki/nssdb, entered my PIN and I got the output: certutil: certificate is valid. So, I believe that I added all of the certificates to the system correctly.
I have removed pam_pkcs11 and installed krb5-pkinit-openssl. I enabled opensc using the modutil command. When I run the command: modutil -list -dbdir /etc/pki/nssdb, I can see my card reader and smart card.
I also ran the command: authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=1 --updateall, cleared the sss cache and rebooted the system.
When the system reboots and I get to the GDM screen, I don't get asked for my PIN. It reads my smart card and then says Sorry, that's didn't work. Please try again.
Here is the log from sssd_pam: (Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x4000): Found token name [my_token_name]. (Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x4000): Found module name [opensc-pkcs11.so]. (Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x4000): Found key id [0001]. (Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x4000): Found label [my_ID_Certificate]. (Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x4000): Found cert ["CERTIFICATE REMOVED"]. (Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x1000): Cert ["CERTIFICATE REMOVED"] does not match matching rules and is ignored. (Tue May 12 19:28:03 2020) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020): No certificate found and no logon name given, authentication not possible.
I ran the command "ipa certmap-match mycertificate.pem: and it associated this certificate with the correct AD account and AD domain.
Here is a copy of my SSSD config file: [domain/idm.myhome.domain]
cache_credentials = True krb5_store_password_if_offline = True ipa_domain = idm.myhome.domain id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = idmsvr01.idm.myhome.domain chpass_provider = ipa ipa_server = idmsvr01.idm.myhome.domain ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 9 krb5_auth_timeout = 60 ldap_user_certificate = userCertificate;binary
[sssd] services = ifp, nss, sudo, pam, ssh debug_level = 9 domains = idm.myhome.domain certificate_verification = no_ocsp
[nss] memcache_timeout = 600 homedir_substring = /home debug_level = 9
[pam] debug_level = 9 p11_child_timeout = 60 pam_cert_auth = True
[sudo] debug_level = 9
[autofs] debug_level = 9
[ssh] debug_level = 9
[pac] debug_level = 9
[ifp] debug_level = 9 allowed_uids = ipaapi, root
[secrets] debug_level = 9
[session_recording] debug_level = 9
On 5/12/20 10:08 PM, tom smith via FreeIPA-users wrote:
I did not run the script, because I had already done most of what is in the script by the time I found it. I have imported all of the certificates into the /etc/pki/nss database and I ran this command against my certificate. Command: certutil -V -n 'mycertificate' -u CSR -l -a -d /etc/pki/nssdb, entered my PIN and I got the output: certutil: certificate is valid. So, I believe that I added all of the certificates to the system correctly.
I have removed pam_pkcs11 and installed krb5-pkinit-openssl. I enabled opensc using the modutil command. When I run the command: modutil -list -dbdir /etc/pki/nssdb, I can see my card reader and smart card.
I also ran the command: authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=1 --updateall, cleared the sss cache and rebooted the system.
When the system reboots and I get to the GDM screen, I don't get asked for my PIN. It reads my smart card and then says Sorry, that's didn't work. Please try again.
Here is the log from sssd_pam: (Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x4000): Found token name [my_token_name]. (Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x4000): Found module name [opensc-pkcs11.so]. (Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x4000): Found key id [0001]. (Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x4000): Found label [my_ID_Certificate]. (Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x4000): Found cert ["CERTIFICATE REMOVED"]. (Tue May 12 19:28:03 2020) [sssd[pam]] [parse_p11_child_response] (0x1000): Cert ["CERTIFICATE REMOVED"] does not match matching rules and is ignored.
Hi, By default a client certificate needs to contain the Extended Key Usage "clientAuth" (see the section related to "matchrule" in sssd.conf(5)). You can check if your user certificate has this extension with: $ openssl x509 -noout -text -in cert.pem
The output should contain something similar to : X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication
HTH, flo
(Tue May 12 19:28:03 2020) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020): No certificate found and no logon name given, authentication not possible.
I ran the command "ipa certmap-match mycertificate.pem: and it associated this certificate with the correct AD account and AD domain.
Here is a copy of my SSSD config file: [domain/idm.myhome.domain]
cache_credentials = True krb5_store_password_if_offline = True ipa_domain = idm.myhome.domain id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = idmsvr01.idm.myhome.domain chpass_provider = ipa ipa_server = idmsvr01.idm.myhome.domain ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 9 krb5_auth_timeout = 60 ldap_user_certificate = userCertificate;binary
[sssd] services = ifp, nss, sudo, pam, ssh debug_level = 9 domains = idm.myhome.domain certificate_verification = no_ocsp
[nss] memcache_timeout = 600 homedir_substring = /home debug_level = 9
[pam] debug_level = 9 p11_child_timeout = 60 pam_cert_auth = True
[sudo] debug_level = 9
[autofs] debug_level = 9
[ssh] debug_level = 9
[pac] debug_level = 9
[ifp] debug_level = 9 allowed_uids = ipaapi, root
[secrets] debug_level = 9
[session_recording] debug_level = 9 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I ran the command: openssl x509 -noout -text -in mycertificate.pem
This was the output: TLS Web Client Authentication, Microsoft Smartcardlogin
On Wed, May 13, 2020 at 01:30:26PM -0000, tom smith via FreeIPA-users wrote:
I ran the command: openssl x509 -noout -text -in mycertificate.pem
This was the output: TLS Web Client Authentication, Microsoft Smartcardlogin
Hi,
what is the 'key usage' for this certificate?
Do you have defined certificate mapping and matching rules on the IPA server? Can you send the output of
ipa certmaprule-find
Can you send the full sssd_pam.log and p11_child.log with 'debug_level=9' in the [pam] section of sssd.conf?
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org