On Wed, Feb 13, 2019 at 12:51:14PM +0100, Winberg, Adam wrote:
> I did not have the 'certificate_verification' parameter set at all before,
> and then online authentication works for me.
>
> This is debug logs from p11_child, online auth with ocsp:
>
> (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs]
> (0x4000): found cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
> (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
> Using OCSP URL [http://ocsp1.example.com/ocsp].
> (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
> Nonce in OCSP response is the same as the one used in the request.
> (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
> OCSP check was successful.
> (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs]
> (0x4000): found
> cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm]
> (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
> Using OCSP URL [http://ocsp1.example.com/ocsp].
> (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
> Nonce in OCSP response is the same as the one used in the request.
> (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
> OCSP check was successful.
>
> So it seems both certs validates, but login still works and the correct
> certificate is chosen.

ah, sorry, I guess when online you are doing Kerberos PKINIT so
p11_child is never run in authentication mode were the 'More than one
certificate found for authentication, aborting!' error came from. In
this case I assume you have a 'pkinit_cert_match' rule in krb5.conf to
help libkrb5 to pick the right certificate since SSSD would only add the
ID to X509_user_identity which is not sufficient to select a specific
certificate.

bye,
Sumit

>
> //Adam
>
>
>
>
> Den ons 13 feb. 2019 kl 12:19 skrev Sumit Bose <sbose@redhat.com>:
>
> > On Wed, Feb 13, 2019 at 09:54:45AM +0100, Winberg, Adam wrote:
> > > You are correct, the OCSP was an issue. Disabling that I get a step
> > closer
> > > (where I actually get a pin prompt), but login does not work.
> > >
> > > sssd_pam.log shows:
> > > (Wed Feb 13 09:35:24 2019) [sssd[pam]] [pam_reply] (0x0040): Backend
> > cannot
> > > handle Smartcard authentication, trying local Smartcard authentication.
> > >
> > > Which looks good, but p11_child.log shows:
> > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs]
> > > (0x4000): found
> > cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
> > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs]
> > > (0x4000): found
> > > cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm]
> > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000):
> > > /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so
> > > identification (Instant EID IP9) identification (Instant EID IP9)
> > > 709C1B7B80A241AE 709C1B7B80A241AE.
> > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000):
> > > /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so
> > > identification (Instant EID IP9) identification (Instant EID IP9)
> > > 709C1B7B80A241AE 709C1B7B80A241AE.
> > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000):
> > > uri:
> > >
> > pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=a001329;type=cert.
> > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000):
> > > uri:
> > >
> > pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=adwi.adm;type=cert.
> > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x0010):
> > > More than one certificate found for authentication, aborting!
> > >
> > > And then sssd_pam.log shows:
> > > (Wed Feb 13 09:35:25 2019) [sssd[pam]] [parse_p11_child_response]
> > (0x1000):
> > > No certificate found.
> > > (Wed Feb 13 09:35:25 2019) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020):
> > No
> > > certificate returned, authentication failed.
> > >
> > > I have two certs on my card, but I have a 'matchrule' in sssd.conf so
> > SSSD
> > > only picks the correct one:
> > > matchrule = <SUBJECT>^CN=[ak].{6},OU=People,DC=ad,DC=example,DC=com$
> > >
> > > This does not seem to work offline? Even so, should I not then get to
> > > choose which certificate to use in GDM?
> > >
> > > This bugzilla (created by me for RHEL7.6) might be relevant, since borth
> > my
> > > certs have the same ID.
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1631410
> >
> > Yes, you are right this is related. The certificate objects on the
> > Smartcard only differ in the label ('a001329', 'adwi.adm') but currently
> > SSSD only use the ID for the selection. So I have to add the label for
> > the selection as well.
> >
> > But this would be the same for online authentication. So I wonder if one
> > of the certificates is invalid according to OCSP or if you disabled
> > verification completely for the test?
> >
> > bye,
> > Sumit
> >
> > >
> > > Thank you!
> > >
> > > //Adam
> > >
> > > Den ons 13 feb. 2019 kl 09:05 skrev Sumit Bose <sbose@redhat.com>:
> > >
> > > > On Wed, Feb 13, 2019 at 08:17:39AM +0100, Winberg, Adam wrote:
> > > > > I'm having a hard time understanding how cert mapping is supposed to
> > work
> > > > > offline. Currently I have the following certmap config (this is on
> > > > > RHEL8-beta):
> > > > >
> > > > > [certmap/ad.example.com/smartcard]
> > > > > maprule =
> > > > >
> > > >
> > (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
> > > > >
> > > > > to map the CN on the card to 'samAccountName' in AD. This works as
> > long
> > > > as
> > > > > I'm online (access to AD), but when I go offline (disconnect
> > network) the
> > > > > maprule is not working. I thought that the mapping would then use the
> > > > sssd
> > > > > cache but apparantly not - so how is smartcard login supposed to work
> > > > > offline?
> > > >
> > > > The cached data should be used in the offline case. Do your
> > certificates
> > > > contain the OCSP extension? If this is present SSSD will use it by
> > > > default to validate the certificate which will fail if the system is
> > > > offline. To disable OCSP you can set
> > > >
> > > >     certificate_verification = no_ocsp
> > > >
> > > > in the [sssd] section of sssd.conf, see man sssd.conf for details.
> > > >
> > > > If that's not the case feel free to send my the SSSD logs ideally with
> > > > debug_level=9. The most important ones for the offline case would be
> > > > sssd_pam.log and p11_child.log.
> > > >
> > > > bye,
> > > > Sumit
> > > >
> > > > >
> > > > > Regards
> > > > > Adam
> > > >
> > > > > _______________________________________________
> > > > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > > > To unsubscribe send an email to
> > sssd-users-leave@lists.fedorahosted.org
> > > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > > > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives:
> > > >
> > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> > > > _______________________________________________
> > > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > > To unsubscribe send an email to
> > sssd-users-leave@lists.fedorahosted.org
> > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > > List Guidelines:
> > https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > > >
> > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> > > >
> >
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> > _______________________________________________
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> >

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org