That works, but it is only pre-auth mode.  In --auth mode it fails, but I
don't think that relevant since fails the same way on Fedora too.

The problems seems to be that on Ubuntu, --auth mode is never called.  On
Fedora p11_child is called twice.  Once with --pre and then a second time
with --auth.  In the log you see:

$ egrep 'main|verified' p11_child.log
(Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x0400):
p11_child started.
(Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000):
Running in [pre-auth] mode.
(Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000):
Running with effective IDs: [0][0].
(Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000):
Running with real IDs [0][0].
(Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x0400):
p11_child started.
(Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000):
Running in [auth] mode.
(Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000):
Running with effective IDs: [0][0].
(Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000):
Running with real IDs [0][0].
(Thu Sep 28 14:23:23 2017) [[sssd[p11_child[15378]]]] [do_work] (0x4000):
Certificate verified and validated.

I've trimmed the log to what (I think) was interesting.  I can send
everything if you need it.

For Ubuntu, the log stops after the first invocation of p11_child and you
never see the [auth] mode call.  Otherwise the logs are the same.

Steve


On Fri, Sep 29, 2017 at 3:17 AM, Sumit Bose <sb...@redhat.com> wrote:

> On Thu, Sep 28, 2017 at 02:35:55PM -0400, Steve Weeks wrote:
> > Progress, but still not using the smartcard and falling back to the
> > password.
> >
> > I changed to change the pam_sss line in common-auth too:
> >
> > auth    [default=1 success=ok]          pam_localuser.so
> > auth [success=2 default=ignore] pam_unix.so nullok_secure
> > #auth [success=1 default=ignore] pam_sss.so use_first_pass
> > auth    sufficient                      pam_sss.so forward_pass
> >
> > Now p11_child is called, but doesn't validate the certificate.  On Fedora
> > the final line in p11_child.log is "Ceritificate verified and validated".
> > On Ubuntu that line is missing.
> >
> > The root certificate is in the certdb.  (certutil -d /etc/pki/nssdb -L).
> >
> > Is there a way to do what p11_child does from the command line or with
> > better logging so I can what it doesn't like?  I have debug_level = 9 on
> > everything at the moment.
>
>     /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre
> --nssdb=/etc/pki/nssdb
>
> should do the trick.
>
> HTH
>
> bye,
> Sumit
>
> >
> > Thanks,
> > Steve
> >
> >
> > On Thu, Sep 28, 2017 at 12:43 PM, Sumit Bose <sb...@redhat.com> wrote:
> >
> > > On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote:
> > > > In all cases on both system pam_unix comes before pam_sss.  For
> example
> > > in
> > > > Fedora system-auth it is:
> > >
> > > On recent Fedora systems you should have
> > >
> > > auth        [default=1 success=ok] pam_localuser.so
> > >
> > > before the lines below. This will call pam_unix only for users from
> > > /etc/passwd and skip the line it otherwise (default=1). Maybe something
> > > like this would help on Ubuntu as well?
> > >
> > > bye,
> > > Sumit
> > >
> > > >
> > > > auth        [success=done ignore=ignore default=die] pam_unix.so
> nullok
> > > > try_first_pass
> > > > auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
> > > > auth        sufficient    pam_sss.so forward_pass
> > > >
> > > > and in Ubuntu common-auth it is:
> > > >
> > > > auth [success=2 default=ignore] pam_unix.so nullok_secure
> > > > auth [success=1 default=ignore] pam_sss.so use_first_pass
> > > >
> > > > I tried reversing the lines and get a pam error about user not know
> (it
> > > is
> > > > an AD user which works fine on fedora).
> > > >
> > > > Also, it looks like pam_pkcs11.so is used in smartcard-auth on
> Fedora.
> > > > Don't know if this is relevant or not.
> > > >
> > > > Steve
> > > >
> > > >
> > > > On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users <
> > > > freeipa-users@lists.fedorahosted.org> wrote:
> > > >
> > > > > On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via
> FreeIPA-users
> > > > > wrote:
> > > > > > We have smartcards (PIV) working just fine on Fedora 25 with
> FreeIPA
> > > > > client
> > > > > > version 4.4.4 (SSSD 1.14.2).  However on Ubuntu 16.04, FreeIPA
> client
> > > > > > 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
> > > > > >
> > > > > > The smartcard is readable using pkcs11-tools and pkcs15-tools on
> both
> > > > > > systems.
> > > > > >
> > > > > > On both systems sssd.conf contains:
> > > > > > [pam]
> > > > > > pam_cert_auth = True
> > > > > >
> > > > > > I've turned the sssd logging up to 9 on both systems and it looks
> > > like
> > > > > > p11_child is never called on the Ubuntu system.  On the Ubuntu
> system
> > > > > > p11_child.log is empty and there is no sign of it being started
> in
> > > the
> > > > > > sssd_pam.log.
> > > > > >
> > > > > > Any suggestions on what I should look at next?
> > > > >
> > > > > How does your PAM configuration looks like? You have to make sure
> that
> > > > > pam_sss.so is the first module called for SSSD users. If pam_unix
> comes
> > > > > first it will ask for a Password and pass it on to pam_sss.so which
> > > will
> > > > > try password authentication in this case.
> > > > >
> > > > > HTH
> > > > >
> > > > > bye,
> > > > > Sumit
> > > > >
> > > > > >
> > > > > > Thanks,
> > > > > > Steve
> > > > >
> > > > > > _______________________________________________
> > > > > > FreeIPA-users mailing list -- freeipa-users@lists.
> fedorahosted.org
> > > > > > To unsubscribe send an email to freeipa-users-leave@lists.
> > > > > fedorahosted.org
> > > > > _______________________________________________
> > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > > > To unsubscribe send an email to freeipa-users-leave@lists.
> > > fedorahosted.org
> > > > >
> > >
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to