On Tue, Oct 29, 2019 at 12:21:45PM -0400, James Ralston wrote:
On Mon, Oct 28, 2019 at 3:21 AM Sumit Bose <sbose(a)redhat.com>
wrote:
> I'm sorry, currently there are some copy-and-paste errors in the
> examples of the sss-certmap man page. I'll try to fix them in one of
> the next releases.
A related question, which I don't see answered in sss-certmap(5): if
sssd is performing smartcard authentication via krb5 PKINIT, how does
the krb5 pkinit_cert_match option interact with sssd's matching rules?
krb5 pkinit.so requires that the pkinit_cert_match options produce one
(and only one) matching certificate from the certificates available on
the smartcard. Does that mean that sssd only sees a single
certificate (the one selected by pkinit.so via pkinit_cert_match
options), so sss-certmap(5) matching rules are superfluous when using
PKINIT?
Or does sssd see all certificates on the smartcard, even when using
PKINIT, and thus sssd's sss-certmap(5) matching rules need to match
the same candidate certificate that krb5's pkinit_cert_match rules do?
If the latter is true, what happens if krb5's pkinit_cert_match
options select a different certificate than the certificate
sss-certmap(5) selects via its matching rules?
Also, what happens if a sss-certmap(5) matching rule matches more than
one certificate on the smartcard? For PKINIT, this is a fatal error.
Is it the same for sssd? Or if multiple certificates match, will sssd
apply the mapping rule against each certificate in turn, and prompt
the user which certificate/account combination they wish to login to?
Hi,
SSSD only uses sss-certmap(5) rules. If there are multiple certificates
on the Smartcard matching the rules, SSSD will prompt the user to select
one so that in the end always a single certificate is used during
authentication.
When calling the pkinit plugin SSSD will use the certificate ID of the
selected certificate from the Smartcard to make sure pkinit will use the
same certificate that was selected by SSSD. So for plain SSSD usage it
is not needed to add 'pkinit_cert_match' to krb5.conf because SSSD makes
sure that only a single certificate is used for pkinit.
If you set 'pkinit_cert_match' to make manual kinit work more easy you
should make sure that 'pkinit_cert_match' does allow the certificates
which SSSD will select with the sss-certmap(5) rules. Otherwise the
certificate selected by SSSD will be filtered out by 'pkinit_cert_match'
and the pkinit module will have no certificate which can be used for
authentication.
HTH
bye,
Sumit
Again, if I can clarify my own understanding of the documentation,
I'll attempt to give you a pull request with cleanups/clarifications…
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...