You are correct, the OCSP was an issue. Disabling that I get a step closer (where I actually get a pin prompt), but login does not work.

sssd_pam.log shows:

(Wed Feb 13 09:35:24 2019) [sssd[pam]] [pam_reply] (0x0040): Backend cannot handle Smartcard authentication, trying local Smartcard authentication.

Which looks good, but p11_child.log shows:

(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] (0x4000): found cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] (0x4000): found cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm]
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so identification (Instant EID IP9) identification (Instant EID IP9) 709C1B7B80A241AE 709C1B7B80A241AE.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so identification (Instant EID IP9) identification (Instant EID IP9) 709C1B7B80A241AE 709C1B7B80A241AE.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=a001329;type=cert.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000): uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=adwi.adm;type=cert.

(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x0010): More than one certificate found for authentication, aborting!

And then sssd_pam.log shows:

(Wed Feb 13 09:35:25 2019) [sssd[pam]] [parse_p11_child_response] (0x1000): No certificate found.
(Wed Feb 13 09:35:25 2019) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020): No certificate returned, authentication failed.

I have two certs on my card, but I have a 'matchrule' in sssd.conf so SSSD only picks the correct one:

matchrule = <SUBJECT>^CN=[ak].{6},OU=People,DC=ad,DC=example,DC=com$

This does not seem to work offline? Even so, should I not then get to choose which certificate to use in GDM?

This bugzilla (created by me for RHEL7.6) might be relevant, since borth my certs have the same ID.

https://bugzilla.redhat.com/show_bug.cgi?id=1631410

Thank you!

//Adam

Den ons 13 feb. 2019 kl 09:05 skrev Sumit Bose <sbose@redhat.com>:

On Wed, Feb 13, 2019 at 08:17:39AM +0100, Winberg, Adam wrote:
> I'm having a hard time understanding how cert mapping is supposed to work
> offline. Currently I have the following certmap config (this is on
> RHEL8-beta):
>
> [certmap/ad.example.com/smartcard]
> maprule =
> (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
>
> to map the CN on the card to 'samAccountName' in AD. This works as long as
> I'm online (access to AD), but when I go offline (disconnect network) the
> maprule is not working. I thought that the mapping would then use the sssd
> cache but apparantly not - so how is smartcard login supposed to work
> offline?

The cached data should be used in the offline case. Do your certificates
contain the OCSP extension? If this is present SSSD will use it by
default to validate the certificate which will fail if the system is
offline. To disable OCSP you can set

certificate_verification = no_ocsp

in the [sssd] section of sssd.conf, see man sssd.conf for details.

If that's not the case feel free to send my the SSSD logs ideally with
debug_level=9. The most important ones for the offline case would be
sssd_pam.log and p11_child.log.

bye,
Sumit

>
> Regards
> Adam

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org