ok, that makes sense - i do indeed have a pkinit_cert_match in
krb5.conf.
Any chance for a fix for this for rhel8 GA? I will try to investigate if we
I cannot comment on this but I can attach a test build based on the
latest RHEL8 packages to the bugzilla ticket when a fix is available.
HTH
bye,
Sumit
can write our smartcard certs differently, so they have different
ID's, but
I don't know what support there is for that in our card provisioning
solution.
//Adam
Den ons 13 feb. 2019 kl 13:23 skrev Sumit Bose <sbose(a)redhat.com>:
> On Wed, Feb 13, 2019 at 12:51:14PM +0100, Winberg, Adam wrote:
> > I did not have the 'certificate_verification' parameter set at all
> before,
> > and then online authentication works for me.
> >
> > This is debug logs from p11_child, online auth with ocsp:
> >
> > (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs]
> > (0x4000): found
> cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
> > (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
> > Using OCSP URL [
http://ocsp1.example.com/ocsp].
> > (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
> > Nonce in OCSP response is the same as the one used in the request.
> > (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
> > OCSP check was successful.
> > (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs]
> > (0x4000): found
> > cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm]
> > (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
> > Using OCSP URL [
http://ocsp1.example.com/ocsp].
> > (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
> > Nonce in OCSP response is the same as the one used in the request.
> > (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
> > OCSP check was successful.
> >
> > So it seems both certs validates, but login still works and the correct
> > certificate is chosen.
>
> ah, sorry, I guess when online you are doing Kerberos PKINIT so
> p11_child is never run in authentication mode were the 'More than one
> certificate found for authentication, aborting!' error came from. In
> this case I assume you have a 'pkinit_cert_match' rule in krb5.conf to
> help libkrb5 to pick the right certificate since SSSD would only add the
> ID to X509_user_identity which is not sufficient to select a specific
> certificate.
>
> bye,
> Sumit
>
> >
> > //Adam
> >
> >
> >
> >
> > Den ons 13 feb. 2019 kl 12:19 skrev Sumit Bose <sbose(a)redhat.com>:
> >
> > > On Wed, Feb 13, 2019 at 09:54:45AM +0100, Winberg, Adam wrote:
> > > > You are correct, the OCSP was an issue. Disabling that I get a step
> > > closer
> > > > (where I actually get a pin prompt), but login does not work.
> > > >
> > > > sssd_pam.log shows:
> > > > (Wed Feb 13 09:35:24 2019) [sssd[pam]] [pam_reply] (0x0040): Backend
> > > cannot
> > > > handle Smartcard authentication, trying local Smartcard
> authentication.
> > > >
> > > > Which looks good, but p11_child.log shows:
> > > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs]
> > > > (0x4000): found
> > > cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
> > > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs]
> > > > (0x4000): found
> > > >
> cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm]
> > > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card]
> (0x4000):
> > > > /usr/lib64/pkcs11/opensc-pkcs11.so
/usr/lib64/pkcs11/opensc-pkcs11.so
> > > > identification (Instant EID IP9) identification (Instant EID IP9)
> > > > 709C1B7B80A241AE 709C1B7B80A241AE.
> > > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card]
> (0x4000):
> > > > /usr/lib64/pkcs11/opensc-pkcs11.so
/usr/lib64/pkcs11/opensc-pkcs11.so
> > > > identification (Instant EID IP9) identification (Instant EID IP9)
> > > > 709C1B7B80A241AE 709C1B7B80A241AE.
> > > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card]
> (0x4000):
> > > > uri:
> > > >
> > >
>
pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=a001329;type=cert.
> > > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card]
> (0x4000):
> > > > uri:
> > > >
> > >
>
pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=adwi.adm;type=cert.
> > > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card]
> (0x0010):
> > > > More than one certificate found for authentication, aborting!
> > > >
> > > > And then sssd_pam.log shows:
> > > > (Wed Feb 13 09:35:25 2019) [sssd[pam]] [parse_p11_child_response]
> > > (0x1000):
> > > > No certificate found.
> > > > (Wed Feb 13 09:35:25 2019) [sssd[pam]] [pam_forwarder_cert_cb]
> (0x0020):
> > > No
> > > > certificate returned, authentication failed.
> > > >
> > > > I have two certs on my card, but I have a 'matchrule' in
sssd.conf so
> > > SSSD
> > > > only picks the correct one:
> > > > matchrule =
<SUBJECT>^CN=[ak].{6},OU=People,DC=ad,DC=example,DC=com$
> > > >
> > > > This does not seem to work offline? Even so, should I not then get
to
> > > > choose which certificate to use in GDM?
> > > >
> > > > This bugzilla (created by me for RHEL7.6) might be relevant, since
> borth
> > > my
> > > > certs have the same ID.
> > > >
https://bugzilla.redhat.com/show_bug.cgi?id=1631410
> > >
> > > Yes, you are right this is related. The certificate objects on the
> > > Smartcard only differ in the label ('a001329', 'adwi.adm')
but
> currently
> > > SSSD only use the ID for the selection. So I have to add the label for
> > > the selection as well.
> > >
> > > But this would be the same for online authentication. So I wonder if
> one
> > > of the certificates is invalid according to OCSP or if you disabled
> > > verification completely for the test?
> > >
> > > bye,
> > > Sumit
> > >
> > > >
> > > > Thank you!
> > > >
> > > > //Adam
> > > >
> > > > Den ons 13 feb. 2019 kl 09:05 skrev Sumit Bose
<sbose(a)redhat.com>:
> > > >
> > > > > On Wed, Feb 13, 2019 at 08:17:39AM +0100, Winberg, Adam wrote:
> > > > > > I'm having a hard time understanding how cert mapping
is
> supposed to
> > > work
> > > > > > offline. Currently I have the following certmap config
(this is
> on
> > > > > > RHEL8-beta):
> > > > > >
> > > > > > [
certmap/ad.example.com/smartcard]
> > > > > > maprule =
> > > > > >
> > > > >
> > >
>
(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
> > > > > >
> > > > > > to map the CN on the card to 'samAccountName' in
AD. This works
> as
> > > long
> > > > > as
> > > > > > I'm online (access to AD), but when I go offline
(disconnect
> > > network) the
> > > > > > maprule is not working. I thought that the mapping would
then
> use the
> > > > > sssd
> > > > > > cache but apparantly not - so how is smartcard login
supposed to
> work
> > > > > > offline?
> > > > >
> > > > > The cached data should be used in the offline case. Do your
> > > certificates
> > > > > contain the OCSP extension? If this is present SSSD will use it
by
> > > > > default to validate the certificate which will fail if the
system
> is
> > > > > offline. To disable OCSP you can set
> > > > >
> > > > > certificate_verification = no_ocsp
> > > > >
> > > > > in the [sssd] section of sssd.conf, see man sssd.conf for
details.
> > > > >
> > > > > If that's not the case feel free to send my the SSSD logs
ideally
> with
> > > > > debug_level=9. The most important ones for the offline case
would
> be
> > > > > sssd_pam.log and p11_child.log.
> > > > >
> > > > > bye,
> > > > > Sumit
> > > > >
> > > > > >
> > > > > > Regards
> > > > > > Adam
> > > > >
> > > > > > _______________________________________________
> > > > > > sssd-users mailing list --
sssd-users(a)lists.fedorahosted.org
> > > > > > To unsubscribe send an email to
> > > sssd-users-leave(a)lists.fedorahosted.org
> > > > > > Fedora Code of Conduct:
>
https://getfedora.org/code-of-conduct.html
> > > > > > List Guidelines:
> > >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > > List Archives:
> > > > >
> > >
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > > > > _______________________________________________
> > > > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > > > To unsubscribe send an email to
> > > sssd-users-leave(a)lists.fedorahosted.org
> > > > > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > > > > List Guidelines:
> > >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives:
> > > > >
> > >
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > > > >
> > >
> > > > _______________________________________________
> > > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > > To unsubscribe send an email to
> sssd-users-leave(a)lists.fedorahosted.org
> > > > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > > > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to
> sssd-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > >
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > >
>
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>