I did not have the 'certificate_verification' parameter set at all before, and then online authentication works for me. 

This is debug logs from p11_child, online auth with ocsp:

(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs] (0x4000): found cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Using OCSP URL [http://ocsp1.example.com/ocsp].
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Nonce in OCSP response is the same as the one used in the request.
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): OCSP check was successful.
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs] (0x4000): found cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm]
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Using OCSP URL [http://ocsp1.example.com/ocsp].
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): Nonce in OCSP response is the same as the one used in the request.
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): OCSP check was successful.

So it seems both certs validates, but login still works and the correct certificate is chosen.

//Adam




Den ons 13 feb. 2019 kl 12:19 skrev Sumit Bose <sbose@redhat.com>:
On Wed, Feb 13, 2019 at 09:54:45AM +0100, Winberg, Adam wrote:
> You are correct, the OCSP was an issue. Disabling that I get a step closer
> (where I actually get a pin prompt), but login does not work.
>
> sssd_pam.log shows:
> (Wed Feb 13 09:35:24 2019) [sssd[pam]] [pam_reply] (0x0040): Backend cannot
> handle Smartcard authentication, trying local Smartcard authentication.
>
> Which looks good, but p11_child.log shows:
> (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs]
> (0x4000): found cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
> (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs]
> (0x4000): found
> cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm]
> (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000):
> /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so
> identification (Instant EID IP9) identification (Instant EID IP9)
> 709C1B7B80A241AE 709C1B7B80A241AE.
> (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000):
> /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so
> identification (Instant EID IP9) identification (Instant EID IP9)
> 709C1B7B80A241AE 709C1B7B80A241AE.
> (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000):
> uri:
> pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=a001329;type=cert.
> (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000):
> uri:
> pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=adwi.adm;type=cert.
> (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x0010):
> More than one certificate found for authentication, aborting!
>
> And then sssd_pam.log shows:
> (Wed Feb 13 09:35:25 2019) [sssd[pam]] [parse_p11_child_response] (0x1000):
> No certificate found.
> (Wed Feb 13 09:35:25 2019) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020): No
> certificate returned, authentication failed.
>
> I have two certs on my card, but I have a 'matchrule' in sssd.conf so SSSD
> only picks the correct one:
> matchrule = <SUBJECT>^CN=[ak].{6},OU=People,DC=ad,DC=example,DC=com$
>
> This does not seem to work offline? Even so, should I not then get to
> choose which certificate to use in GDM?
>
> This bugzilla (created by me for RHEL7.6) might be relevant, since borth my
> certs have the same ID.
> https://bugzilla.redhat.com/show_bug.cgi?id=1631410

Yes, you are right this is related. The certificate objects on the
Smartcard only differ in the label ('a001329', 'adwi.adm') but currently
SSSD only use the ID for the selection. So I have to add the label for
the selection as well.

But this would be the same for online authentication. So I wonder if one
of the certificates is invalid according to OCSP or if you disabled
verification completely for the test?

bye,
Sumit

>
> Thank you!
>
> //Adam
>
> Den ons 13 feb. 2019 kl 09:05 skrev Sumit Bose <sbose@redhat.com>:
>
> > On Wed, Feb 13, 2019 at 08:17:39AM +0100, Winberg, Adam wrote:
> > > I'm having a hard time understanding how cert mapping is supposed to work
> > > offline. Currently I have the following certmap config (this is on
> > > RHEL8-beta):
> > >
> > > [certmap/ad.example.com/smartcard]
> > > maprule =
> > >
> > (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
> > >
> > > to map the CN on the card to 'samAccountName' in AD. This works as long
> > as
> > > I'm online (access to AD), but when I go offline (disconnect network) the
> > > maprule is not working. I thought that the mapping would then use the
> > sssd
> > > cache but apparantly not - so how is smartcard login supposed to work
> > > offline?
> >
> > The cached data should be used in the offline case. Do your certificates
> > contain the OCSP extension? If this is present SSSD will use it by
> > default to validate the certificate which will fail if the system is
> > offline. To disable OCSP you can set
> >
> >     certificate_verification = no_ocsp
> >
> > in the [sssd] section of sssd.conf, see man sssd.conf for details.
> >
> > If that's not the case feel free to send my the SSSD logs ideally with
> > debug_level=9. The most important ones for the offline case would be
> > sssd_pam.log and p11_child.log.
> >
> > bye,
> > Sumit
> >
> > >
> > > Regards
> > > Adam
> >
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> > _______________________________________________
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> >

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org