I did not have the 'certificate_verification' parameter set
at all before,
and then online authentication works for me.
This is debug logs from p11_child, online auth with ocsp:
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs]
(0x4000): found cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
Using OCSP URL [
http://ocsp1.example.com/ocsp].
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
Nonce in OCSP response is the same as the one used in the request.
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
OCSP check was successful.
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs]
(0x4000): found
cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm]
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
Using OCSP URL [
http://ocsp1.example.com/ocsp].
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
Nonce in OCSP response is the same as the one used in the request.
(Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000):
OCSP check was successful.
So it seems both certs validates, but login still works and the correct
certificate is chosen.
ah, sorry, I guess when online you are doing Kerberos PKINIT so
p11_child is never run in authentication mode were the 'More than one
certificate found for authentication, aborting!' error came from. In
this case I assume you have a 'pkinit_cert_match' rule in krb5.conf to
help libkrb5 to pick the right certificate since SSSD would only add the
ID to X509_user_identity which is not sufficient to select a specific
certificate.
bye,
Sumit
//Adam
Den ons 13 feb. 2019 kl 12:19 skrev Sumit Bose <sbose(a)redhat.com>:
> On Wed, Feb 13, 2019 at 09:54:45AM +0100, Winberg, Adam wrote:
> > You are correct, the OCSP was an issue. Disabling that I get a step
> closer
> > (where I actually get a pin prompt), but login does not work.
> >
> > sssd_pam.log shows:
> > (Wed Feb 13 09:35:24 2019) [sssd[pam]] [pam_reply] (0x0040): Backend
> cannot
> > handle Smartcard authentication, trying local Smartcard authentication.
> >
> > Which looks good, but p11_child.log shows:
> > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs]
> > (0x4000): found
> cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
> > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs]
> > (0x4000): found
> > cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm]
> > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000):
> > /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so
> > identification (Instant EID IP9) identification (Instant EID IP9)
> > 709C1B7B80A241AE 709C1B7B80A241AE.
> > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000):
> > /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so
> > identification (Instant EID IP9) identification (Instant EID IP9)
> > 709C1B7B80A241AE 709C1B7B80A241AE.
> > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000):
> > uri:
> >
>
pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=a001329;type=cert.
> > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000):
> > uri:
> >
>
pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=adwi.adm;type=cert.
> > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x0010):
> > More than one certificate found for authentication, aborting!
> >
> > And then sssd_pam.log shows:
> > (Wed Feb 13 09:35:25 2019) [sssd[pam]] [parse_p11_child_response]
> (0x1000):
> > No certificate found.
> > (Wed Feb 13 09:35:25 2019) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020):
> No
> > certificate returned, authentication failed.
> >
> > I have two certs on my card, but I have a 'matchrule' in sssd.conf so
> SSSD
> > only picks the correct one:
> > matchrule = <SUBJECT>^CN=[ak].{6},OU=People,DC=ad,DC=example,DC=com$
> >
> > This does not seem to work offline? Even so, should I not then get to
> > choose which certificate to use in GDM?
> >
> > This bugzilla (created by me for RHEL7.6) might be relevant, since borth
> my
> > certs have the same ID.
> >
https://bugzilla.redhat.com/show_bug.cgi?id=1631410
>
> Yes, you are right this is related. The certificate objects on the
> Smartcard only differ in the label ('a001329', 'adwi.adm') but
currently
> SSSD only use the ID for the selection. So I have to add the label for
> the selection as well.
>
> But this would be the same for online authentication. So I wonder if one
> of the certificates is invalid according to OCSP or if you disabled
> verification completely for the test?
>
> bye,
> Sumit
>
> >
> > Thank you!
> >
> > //Adam
> >
> > Den ons 13 feb. 2019 kl 09:05 skrev Sumit Bose <sbose(a)redhat.com>:
> >
> > > On Wed, Feb 13, 2019 at 08:17:39AM +0100, Winberg, Adam wrote:
> > > > I'm having a hard time understanding how cert mapping is supposed
to
> work
> > > > offline. Currently I have the following certmap config (this is on
> > > > RHEL8-beta):
> > > >
> > > > [
certmap/ad.example.com/smartcard]
> > > > maprule =
> > > >
> > >
>
(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
> > > >
> > > > to map the CN on the card to 'samAccountName' in AD. This
works as
> long
> > > as
> > > > I'm online (access to AD), but when I go offline (disconnect
> network) the
> > > > maprule is not working. I thought that the mapping would then use
the
> > > sssd
> > > > cache but apparantly not - so how is smartcard login supposed to
work
> > > > offline?
> > >
> > > The cached data should be used in the offline case. Do your
> certificates
> > > contain the OCSP extension? If this is present SSSD will use it by
> > > default to validate the certificate which will fail if the system is
> > > offline. To disable OCSP you can set
> > >
> > > certificate_verification = no_ocsp
> > >
> > > in the [sssd] section of sssd.conf, see man sssd.conf for details.
> > >
> > > If that's not the case feel free to send my the SSSD logs ideally
with
> > > debug_level=9. The most important ones for the offline case would be
> > > sssd_pam.log and p11_child.log.
> > >
> > > bye,
> > > Sumit
> > >
> > > >
> > > > Regards
> > > > Adam
> > >
> > > > _______________________________________________
> > > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > > To unsubscribe send an email to
> sssd-users-leave(a)lists.fedorahosted.org
> > > > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > > > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to
> sssd-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > >
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > >
>
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...