On Mon, Jul 18, 2016 at 09:54:37AM -0400, Rob Crittenden wrote: > Sumit Bose wrote: > > On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote: > > > On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote: > > > > On (16/07/16 10:19), Martin Štefany wrote: > > > > > > > > > > Hello Sumit, > > > > > > > > > > seems that upgrade to F24 broke things again. This time no AVCs, > > > > > empty SSSD > > > > > logs, but same problem: 'Error looking up public keys'. > > > > > > > > > > selinux-policy-3.13.1-191.fc24.3.noarch > > > > > selinux-policy-targeted-3.13.1-191.fc24.3.noarch > > > > > sssd-1.13.4-3.fc24.x86_64 > > > > > > > > > Fedora 23 and fedora 24 has the same version of sssd > > > > and almost the same version of openssh. > > > > I have no idea what coudl broke it it there are not any AVCs. > > > > > > > > > > > > > > Using debug_level 0x0250 :: > > > > > > > > > For troubleshooting, it would be better to see all > > > > debug messages. (debug_level = 0xfff0) > > > > > > Hello Lukas, > > > > > > thanks for replying on this, here are debug_level = 0xfff0 messages > > > > > > > ... > > > > > (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020): > > > CERT_VerifyCertificateNow failed [-8179]. > > > (Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] > > > (0x0040): > > > cert_to_ssh_key failed. > > > > -8179 translates to "Peer's certificate issuer is not recognized." > > (http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html). > > This means the CA certificate which signed the certificate on the > > Smartcard is missing in /etc/pki/nssdb which is used by default by SSSD. > > > > Recent version of IPA put IPA CA certificates only in /etc/ipa/nssdb, > > this might be the reason why you see this with F24. > > > > To fix this please either add the needed CA certificates to > > /etc/pki/nssdb with certutil or add 'ca_db = /etc/ipa/nssdb' to the > > [ssh] section of sssd.conf if /etc/ipa/nssdb already has all needed CA > > certificates to validate the Smartcard certificate. > > > > I'm working on a fix for SSSD to handle handle this change > > automatically, but unfortunately it is not ready yet. > > The client installer should be adding the IPA CA to the system certificate > store which should be picked up automagically by OpenSSL and NSS > applications. I think I'd start there to see if that happened.
The responsibility for this was delegated to p11-kit in 11592dde1b232a70f318e01f5271b38890090648. Not sure if it was expected that p11-kit-proxy will be added to /etc/pki/nssdb by default? bye, Sumit > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project