You are correct, the OCSP was an issue. Disabling that I get a step closer (where I actually get a pin prompt), but login does not work.
sssd_pam.log shows:
(Wed Feb 13 09:35:24 2019) [sssd[pam]] [pam_reply] (0x0040): Backend cannot handle Smartcard authentication, trying local Smartcard authentication.
Which looks good, but p11_child.log shows:
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] (0x4000): found cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] (0x4000): found cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm]
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so identification (Instant EID IP9) identification (Instant EID IP9) 709C1B7B80A241AE 709C1B7B80A241AE.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so identification (Instant EID IP9) identification (Instant EID IP9) 709C1B7B80A241AE 709C1B7B80A241AE.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=a001329;type=cert.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=adwi.adm;type=cert.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x0010): More than one certificate found for authentication, aborting!
And then sssd_pam.log shows:
(Wed Feb 13 09:35:25 2019) [sssd[pam]] [parse_p11_child_response] (0x1000): No certificate found.
(Wed Feb 13 09:35:25 2019) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020): No certificate returned, authentication failed.
I have two certs on my card, but I have a 'matchrule' in sssd.conf so SSSD only picks the correct one:
matchrule = <SUBJECT>^CN=[ak].{6},OU=People,DC=ad,DC=example,DC=com$
This does not seem to work offline? Even so, should I not then get to choose which certificate to use in GDM?
This bugzilla (created by me for RHEL7.6) might be relevant, since borth my certs have the same ID.
Thank you!
//Adam