I've been debugging the OCSP issue as well and we can see that the OCSP server responds to the request. This response is signed by a cert which is issued by our CA, and that cert is indeed in my nssdb. So should this not work? Do I have to have the actual OCSP server cert in nssdb, does certificate chaining not work here?
Regards Adam
2017-10-19 12:39 GMT+02:00 Winberg, Adam adam.winberg@smhi.se:
Thanks a bunch, disabling oscp verification works (and to test with p11_child you can set the parameter '--verify=no_ocsp').
So, now I can see in debug logs that sssd finds my smartcard certificate but now it fails trying to verify it against the provider (AD). So what are the requirements for this to work on 7.4? This page:
http://rhelblog.redhat.com/2017/09/26/smart-card-support- in-red-hat-enterprise-linux/
implies that it is not longer necessary to store the entire certificate for the user in AD. It instead mentions a 'special attribute' but there is no detailed information about it there. Is there any more documentation about this?
Thanks, Adam
2017-10-19 11:19 GMT+02:00 Sumit Bose sbose@redhat.com:
On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote:
I'm trying to get smartcard auth working with sssd on RHEL 7.4. We currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify
this
by using sssd instead. Unfortunately I cant get it to work, sssd does
not
seem to detect my smartcard certificate.
Running p11_child I get the following:
$ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --nssdb=/etc/pki/nssdb --pin (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320]]]] [main] (0x0400): p11_child started. (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320]]]] [main] (0x2000): Running in [pre-auth] mode. (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Default Module List: (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): common name: [NSS Internal PKCS #11 Module]. (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): dll name: [(null)]. (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): common name: [p11-kit-trust]. (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so]. (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): common name: [OpenSC PKCS #11 Module]. (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so]. (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Dead Module List: (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): DB Module List: (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): common name: [NSS Internal Module]. (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): dll name: [(null)]. (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): common name: [Policy File]. (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): dll name: [(null)]. (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Description [NSS User Private Key and Certificate Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [1]. (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Description [NSS Internal Cryptographic Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [1]. (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Description [/usr/share/pki/ca-trust-source PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1]. (Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Description [/etc/pki/ca-trust/source PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1]. (Thu Oct 19 10:43:20:772245 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Description [Alcor Micro AU9540 00 00 Generic ] Manufacturer [Generic ] flags [7]. (Thu Oct 19 10:43:20:772290 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Found [identification (Instant EID IP9)] in slot [Alcor Micro AU9540 00 00][0] of module [3][/usr/lib64/pkcs11/opensc-pkcs11.so]. (Thu Oct 19 10:43:20:772320 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Token is NOT friendly. (Thu Oct 19 10:43:20:772346 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Trying to switch to friendly to read certificate. (Thu Oct 19 10:43:20:772372 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Login required. (Thu Oct 19 10:43:20:772397 2017) [[sssd[p11_child[6320]]]] [do_work] (0x0020): Login required but no pin available, continue. (Thu Oct 19 10:43:20:773994 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): found cert[identification (Instant EID IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] (Thu Oct 19 10:43:20:774071 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): Filtered certificates: (Thu Oct 19 10:43:20:774167 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): found cert[identification (Instant EID IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] (Thu Oct 19 10:43:20:804677 2017) [[sssd[p11_child[6320]]]] [do_work] (0x0040): Certificate [identification (Instant EID IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] not valid
[-8062],
skipping. (Thu Oct 19 10:43:20:804857 2017) [[sssd[p11_child[6320]]]] [do_work] (0x4000): No certificate found.
What does the error code '-8062' mean?
"The signer of the OCSP response is not authorized to give status for this certificate."
Please see e.g. https://www-archive.mozilla.org/projects/security/pki/nss/re f/ssl/sslerr.html for other error codes as well. I will add a text output to the error code in one of the upcoming versions.
It looks like the certificate of the OCSP responder cannot be validated. Please add the related CA certificates to /etc/pki/nssdb. As an alternative if you do not want to use OCSP you can disable it by setting
certificate_verification = no_ocsp
in the [sssd] section of sssd.conf (see man sssd.conf for details)
HTH
bye, Sumit
Regards, Adam
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org