On Thu, Apr 27, 2017 at 03:27:47PM -0000, tallinn1960(a)yahoo.de wrote:
Thank you, EKU clientAuth was missing, including it got p11_child
working.
However still no luck with using the key with sssd and pkinit. kinit works fine with the
key, but login (tty and lightdm) never asks for the pin. Instead it ask for a password two
times and accepts the second as a local user-no-kerberos-login, when the key is plugged
in, and only one time when the key is not plugged in, giving me a kerberos login with
ticket.
You most probably have to tweak your PAM configuration. In Fedora some
thing like
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
is used. The pam_localuser line makes sure pam_unix (which can only ask
for a password) is only used for local user and pam_sss can prompt for
SSSD users.
Additionally you might need to call
touch /var/lib/sss/pubconf/pam_preauth_available
to enable an additional round-trip between pam_sss and SSSD to check
which authentication methods are available for the user so that pam_sss
can prompt accordingly. Since this round-trip adds some time to the
login process it is not activated by default.
HTH
bye,
Sumit
>
> I looked into the code and did some debugging and found that krb5_child signals
SSS_CERT_AUTH_PROMPTING (code 12) to pam_sss, which it does not know how to handle. But I
may be totally mistaken here. And anyway without clue.
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org