On Sun, Jul 18, 2021 at 1:26 PM Assaf Morami <assaf.morami(a)gmail.com> wrote:
Is it possible to have an AD + Smart Card setup, without having the
user certificate in AD? meaning have sssd take the certificate
straight from the smart card.
Starting with sssd 2.1.0, sssd can map smart card certificates to AD
users by using the certmap; see sss-certmap(5).
For sssd 1.x and 2.0.x, sssd performs user matching by searching AD
for a user object whose userCertificate parameter matches the
certificate on the smart card. Which means you have to pre-load
smartcard certificates into AD for Linux sssd smartcard authentication
to work.
If not, is it possible with sss_override to insert the certificate
to the sssd cache right before each login?
That's not going to help—sssd already has the certificate; it reads it
from the smart card. The issue is that sssd needs to be able to
identify the correct AD user object that corresponds to the
certificate on the smart card.