On Thu, Aug 15, 2019 at 05:00:45PM -0000, Eremeev Vladimir wrote:
Hello for all.
I have CentOS 7.6 with last updates. After using realmd authetification AD users with
password works well.
I try to use smartcards to authetificate users from AD at the linux machines.
After a lot of googling I can use PKINIT to take kerberos tickets for a user by using a
smartcard and a pincode. this is my krb5.conf:
# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = "Domain"
pkinit_anchors = FILE:/etc/pki/nssdb/ca.cer
pkinit_identities = PKCS11:/usr/lib64/libeTPkcs11.so
pkinit_eku_checking = kpServerAuth
pkinit_kdc_hostname = "Domain controller1"
pkinit_kdc_hostname = "Domain controller2"
pkinit_kdc_hostname = "Domain controller3"
canonicalize = True
[realms]
"Domain" {
kdc = "Domain controller1"
kdc = "Domain controller2"
kdc = "Domain controller3"
admin_server = "Domain controller1"
default_domain = "Domain"
}
[domain_realm]
domain = DOMAIN
.domain = DOMAIN
I put this article inside sssd.conf:
[pam]
pam_cert_auth = true
i think that next step will be a configure pam.d files. but at this step a met some
problems.
maybe somebody can send me working files from pam.d?
What the next step to make authetification for Gnome Destop on CentOS 7.6?
ps. "authconfig --enablesssd --enablesssdauth --enablesmartcard
--smartcardmodule=sssd --smartcardaction=1 --updateall" don't work well for me
Hi,
please check if the pam_pkcs11 package is removed before calling
authconfig. To avoid breaking existing setups there are some pre-cautions
in authconfig.
For reference here is a /etc/pam.d/smartcard-auth that worked for me:
"""
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_sss.so allow_missing_name
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
"""
Additionally you have to add the certificate data to the userCertifcate
attribute of the user in AD so that SSSD can map the certificate to the
user. The more flexible mapping and matching rules for the AD provider
are currently only available in RHEL-8.
HTH
bye,
Sumit
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...