On Tue, Jun 06, 2017 at 03:22:28PM -0000, tallinn1960(a)yahoo.de wrote:
Eventually I've got a working setup with PKINIT, Smartcard and
sssd 1.15.2 in a Ubuntu/Unity-Environment. However, login fails, if both krb5 kdc and ldap
id provider are offline. Is offline mode for smartcard authentication vs kerberos supposed
to work at all in sssd or are there more requirements to be met than those already
mentioned here?
Especially, are there any requirements on the subject dn in the certificate? I am looking
at an error message in the logs that is only there in offline mode:
sssd_pam.log:(Tue Jun 6 15:52:57 2017) [sssd[pam]] [pam_dom_forwarder] (0x0400): User
and certificate user do not match, continue with other authentication methods.
As for Kerberos the subject of the certificate has no meaning, the kerberos principal
name is encoded as an subject alternative name id-pki-san extension. So we did not choose
anything special for the subject name of the certificates.
If offline SSSD would just check the certificate and the PIN on its own.
To map the certificate to the user the full certificate is used because
it should have been saved to the cache by a previous online
authentication.
The log message indicates that the certificate is not properly stored in
the cache, at least searching the cache for the user and the certificate
return different objects.
Can you send the full sssd_pam.log file to see if there are more hints
why one of the searches in the offline case does not find the right
object?
bye,
Sumit
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org