Hello,
I would like to implement smartcard authentication to Microsoft AD with sssd on Ubuntu
20.04 LTS.
I am able to login to AD with a password but when I try to use a smartcard, after a minute
of timeout the password window pops up and even if I put the correct password, I get the
following error : "Authentication failure".
When I used kinit using a smartcard with the same user the action succeed and I got TGT.
I would appreciate your help on this subject.
I have attached the configuration files : krb5.conf ,sssd.conf and the log file :
krb5_child.log
Thank you,
Rudi
#####################################
krb5.conf
#####################################
[logging]
default = FILE:/var/log/krb5libs.log
[libdefaults]
default_realm = DOMAIN.TEST
# dns_lookup_realm = true
# dns_lookup_kdc = true
ticket_lifetime = 24h #
renew_lifetime = 7d
# forwardable = true
# rdns = false
pkinit_kdc_hostname = DC.DOMAIN.TEST
# pkinit_allow_upn = true
pkinit_anchors = DIR:/etc/rootcas/
pkinit_pool = DIR:/etc/rootcas/
pkinit_identities = PKCS11:/lib/libsadaptor.so
default_ccache_name = KEYRING:persistent:%{uid}
canonicalize = true
# The following krb5.conf variables are only for MIT Kerberos.
# kdc_timesync = 1
# ccache_type = 4
# proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
ATHENA.MIT.EDU = {
kdc =
kerberos.mit.edu
kdc =
kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server =
kerberos.mit.edu
default_domain =
mit.edu
}
ZONE.MIT.EDU = {
kdc =
casio.mit.edu
kdc =
seiko.mit.edu
admin_server =
casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server =
kerberos.csail.mit.edu
default_domain =
csail.mit.edu
}
IHTFP.ORG = {
kdc =
kerberos.ihtfp.org
admin_server =
kerberos.ihtfp.org
}
1TS.ORG = {
kdc =
kerberos.1ts.org
admin_server =
kerberos.1ts.org
}
ANDREW.CMU.EDU = {
admin_server =
kerberos.andrew.cmu.edu
default_domain =
andrew.cmu.edu
}
CS.CMU.EDU = {
kdc =
kerberos-1.srv.cs.cmu.edu
kdc =
kerberos-2.srv.cs.cmu.edu
kdc =
kerberos-3.srv.cs.cmu.edu
admin_server =
kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc =
kerberos.dementix.org
kdc =
kerberos2.dementix.org
admin_server =
kerberos.dementix.org
}
stanford.edu = {
kdc =
krb5auth1.stanford.edu
kdc =
krb5auth2.stanford.edu
kdc =
krb5auth3.stanford.edu
master_kdc =
krb5auth1.stanford.edu
admin_server =
krb5-admin.stanford.edu
default_domain =
stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu =
ATHENA.MIT.EDU
mit.edu =
ATHENA.MIT.EDU
.media.mit.edu =
MEDIA-LAB.MIT.EDU
media.mit.edu =
MEDIA-LAB.MIT.EDU
.csail.mit.edu =
CSAIL.MIT.EDU
csail.mit.edu =
CSAIL.MIT.EDU
.whoi.edu =
ATHENA.MIT.EDU
whoi.edu =
ATHENA.MIT.EDU
.stanford.edu =
stanford.edu
.slac.stanford.edu =
SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
######################
sssd.conf
######################
[sssd]
domains = domain.test
config_file_version = 2
services = nss, pam
debug_level = 10
[domain/domain.test]
debug_level = 10
#
ad_domain = domain.test
krb5_realm = DOMAIN.TEST
realmd_tags = manages-system joined-with-adcli
access_provider = ad
auth_provider = ad
id_provider = ad
ldap_id_mapping = True
#
# cache_credentials = True
# krb5_store_password_if_offline = True
#
use_fully_qualified_names = False
default_shell = /bin/bash
fallback_homedir = /home/%u@%d
[pam]
debug_level = 10
pam_cert_auth = True
#######################
krb5-child.log
#######################
Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [main] (0x0400): krb5_child
started.
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [unpack_buffer] (0x1000): total
buffer size: [152]
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [unpack_buffer] (0x0100): cmd [249]
uid [270401103] gid [270400513] validate [true] enterprise principal [true] offline
[false] UPN [test_user(a)DOMAIN.TEST]
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [unpack_buffer] (0x0100): ccname:
[KEYRING:persistent:270401103] old_ccname: [KEYRING:persistent:270401103] keytab:
[/etc/krb5.keytab]
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [check_use_fast] (0x0100): Not
using FAST.
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [become_user] (0x0200): Trying to
become user [270401103][270400513].
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [main] (0x2000): Running as
[270401103][270400513].
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [set_lifetime_options] (0x0100): No
specific renewable lifetime requested.
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [set_lifetime_options] (0x0100): No
specific lifetime requested.
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [set_canonicalize_option] (0x0100):
Canonicalization is set to [true]
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [main] (0x0400): Will perform
pre-auth
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [tgt_req_child] (0x1000):
Attempting to get a TGT
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [get_and_save_tgt] (0x0400):
Attempting kinit for realm [DOMAIN.TEST]
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000):
[75227] 1610984653.874510: Getting initial credentials for
test_user\@DOMAIN.TEST(a)DOMAIN.TEST
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000):
[75227] 1610984653.874512: Sending unauthenticated request
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000):
[75227] 1610984653.874513: Sending request (229 bytes) to DOMAIN.TEST
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000):
[75227] 1610984653.874514: Sending initial UDP request to dgram 10.0.0.3:88
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000):
[75227] 1610984653.874515: Received answer (197 bytes) from dgram 10.0.0.3:88
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000):
[75227] 1610984653.874516: Response was from master KDC
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000):
[75227] 1610984653.874517: Received error from KDC: -1765328359/Additional
pre-authentication required
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000):
[75227] 1610984653.874520: Preauthenticating using KDC method data
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000):
[75227] 1610984653.874521: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD
(15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)
(Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000):
[75227] 1610984653.874522: Selected etype info: etype aes256-cts, salt
"DOMAIN.TESTtest_user", params ""
(Mon Jan 18 17:44:15 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_responder] (0x4000): Got
question [pkinit].
(Mon Jan 18 17:44:15 2021) [[sssd[krb5_child[75227]]]] [answer_pkinit] (0x4000): [0]
Identity [PKCS11:module_name=/lib/libsadaptor.so:slotid=2:token=Crypto Token] flags [0].
(Mon Jan 18 17:44:15 2021) [[sssd[krb5_child[75227]]]] [answer_pkinit] (0x4000): Setting
pkinit_prompting.
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x4000):
sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x4000):
Prompt [0][Crypto Token PIN].
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x0020):
Cannot handle password prompts.
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000):
[75227] 1610984656.291326: PKINIT client has no configured identity; giving up
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000):
[75227] 1610984656.291327: Preauth module pkinit (16) (real) returned:
-1765328360/Preauthentication failed
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000):
[75227] 1610984656.291328: PKINIT client ignoring draft 9 offer from RFC 4556 KDC
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000):
[75227] 1610984656.291329: Preauth module pkinit (15) (real) returned:
-1765328360/Preauthentication failed
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x4000):
sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x4000):
Prompt [0][Password for test_user\@DOMAIN.TEST(a)DOMAIN.TEST].
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x0020):
Cannot handle password prompts.
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_child_krb5_trace_cb] (0x4000):
[75227] 1610984656.291330: Preauth module encrypted_timestamp (2) (real) returned:
-1765328254/Cannot read password
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_get_init_creds_password]
(0x0020): 1627: [-1765328174][Pre-authentication failed: Preauthentication failed]
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [get_and_save_tgt] (0x0400):
krb5_get_init_creds_password returned [-1765328174] during pre-auth.
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [k5c_send_data] (0x0200): Received
error code 0
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [pack_response_packet] (0x2000):
response packet size: [12]
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [k5c_send_data] (0x4000): Response
sent.
(Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [main] (0x0400): krb5_child
completed successfully