On Thu, Oct 05, 2017 at 02:55:19PM -0400, Steve Weeks wrote:
> No.  The user is just in a group that is mapped between AD and IPA.  Pretty
> vanilla, just like the examples.

But this is not related to Smartcard authentication. Can you send me the
fully sssd_your.domain.log files from Fedora and Ubuntu with
debug_level=10 in the [domain/...] section of sssd.conf? Feel free to
send them to me directly if you do not want to share them on the list.

bye,
Sumit

> 
> Steve
> 
> 
> On Thu, Oct 5, 2017 at 2:47 PM, Sumit Bose <sb...@redhat.com> wrote:
> 
> > On Thu, Oct 05, 2017 at 02:14:57PM -0400, Steve Weeks wrote:
> > > The problem is definitely in sss_pam.  From the logs, it sounds like it
> > > can't get the certificate from the server.
> > >
> > > p11_child works the same on both Fedora 25 and Ubuntu 16.04 in both
> > > pre-auth and auth mode.  To run in auth mode, change the command line to:
> > >
> > > echo PIN |  /usr/libexec/sssd/p11_child -d 10 --debug-fd=1
> > > --nssdb=/etc/pki/nssdb --auth --pin
> > >
> > > Running from the command line, both Fedora and Ubuntu return the same
> > > results in either mode.
> > >
> > > On Ubuntu running a real login, auth mode is never called.  The
> > > sssd_pam.log files are different.  I've attached the full logs, but this
> > is
> > > what seems to be the problem.
> > >
> > > Fedora, which works fine:
> > >
> > > [sss_dp_issue_request] (0x0400): Issuing request for
> > > [0x55e4aeaaa710:8:MIIHdjCCBV6gAwIBAgIT..
> > > [sss_dp_get_account_msg] (0x0400): Creating request for [ipa.example.com
> > ][
> > > *0x14][BE_REQ_BY_CERT*][1][cert=MIIHdjCCBV...
> > > [sss_dp_internal_get_send] (0x0400): Entering request
> > > [0x55e4aeaaa710:8:MIIHdjCCBV6gA.......
> > > [cache_req_cache_search] (0x0040): Cache Request [User by certificate
> > #0]:
> > > Cannot find info for [CERT:S/kgorj...@ipa.example.com]
> > > [child_sig_handler] (0x1000): Waiting for child [5701].
> > > [child_sig_handler] (0x0100): child [5701] finished successfully.
> > > [sbus_remove_timeout] (0x2000): 0x55e4afa97210
> > > [sbus_dispatch] (0x4000): dbus conn: 0x55e4afa9e7d0
> > > [sbus_dispatch] (0x4000): Dispatching.
> > > [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error
> > code:
> > > 0 errno: 0 error message: Success
> > >
> > > The same sequence in Ubuntu has a different call parameter and seems to
> > > fail:
> > >
> > > [sss_dp_issue_request] (0x0400): Issuing request for
> > > [0x410090:8:MIIHdjCCBV6...
> > > [sss_dp_get_account_msg] (0x0400): Creating request for
> > > [ipa.example.com][*0x1014][FAST
> > > BE_REQ_BY_CERT*][1][cert=MIIHdjCCBV6gAw...
> > > [sbus_add_timeout] (0x2000): 0xc46200
> > > [sss_dp_internal_get_send] (0x0400): Entering request
> > > [0x410090:8:MIIHdjCCBV6g.....
> > > [child_sig_handler] (0x1000): Waiting for child [9758].
> > > [child_sig_handler] (0x0100): child [9758] finished successfully.
> > > [sbus_remove_timeout] (0x2000): 0xc46200
> > > [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0xc1a220
> > > [sbus_dispatch] (0x4000): Dispatching.
> > > [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error
> > code:
> > > 3 errno: 0 error message: Account info lookup failed
> > >
> > > Fedora is running sssd 1.14.2 and Ubuntu is running 1.13.4.  The user is
> > > from an AD trust.  Both systems are attached to the same IPA server.
> >
> > How did you map the certificate to the AD users? Did you create an
> > idoverride for the AD user and add the certificate to the override?
> > Unfortunately this is only supported since sssd-1.14.
> >
> > bye,
> > Sumit
> >
> > >
> > > Is there some configuration change that will make the Ubuntu system
> > behave
> > > like the Fedora system?  I'd really like to use the standard Ubuntu
> > > distribution.
> > >
> > > Thanks,
> > > Steve
> > >
> > >
> > > On Fri, Sep 29, 2017 at 11:17 AM, Steve Weeks <nbxst...@gmail.com>
> > wrote:
> > >
> > > > That works, but it is only pre-auth mode.  In --auth mode it fails,
> > but I
> > > > don't think that relevant since fails the same way on Fedora too.
> > > >
> > > > The problems seems to be that on Ubuntu, --auth mode is never called.
> > On
> > > > Fedora p11_child is called twice.  Once with --pre and then a second
> > time
> > > > with --auth.  In the log you see:
> > > >
> > > > $ egrep 'main|verified' p11_child.log
> > > > (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x0400):
> > > > p11_child started.
> > > > (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000):
> > > > Running in [pre-auth] mode.
> > > > (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000):
> > > > Running with effective IDs: [0][0].
> > > > (Thu Sep 28 14:23:19 2017) [[sssd[p11_child[15375]]]] [main] (0x2000):
> > > > Running with real IDs [0][0].
> > > > (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x0400):
> > > > p11_child started.
> > > > (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000):
> > > > Running in [auth] mode.
> > > > (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000):
> > > > Running with effective IDs: [0][0].
> > > > (Thu Sep 28 14:23:22 2017) [[sssd[p11_child[15378]]]] [main] (0x2000):
> > > > Running with real IDs [0][0].
> > > > (Thu Sep 28 14:23:23 2017) [[sssd[p11_child[15378]]]] [do_work]
> > (0x4000):
> > > > Certificate verified and validated.
> > > >
> > > > I've trimmed the log to what (I think) was interesting.  I can send
> > > > everything if you need it.
> > > >
> > > > For Ubuntu, the log stops after the first invocation of p11_child and
> > you
> > > > never see the [auth] mode call.  Otherwise the logs are the same.
> > > >
> > > > Steve
> > > >
> > > >
> > > > On Fri, Sep 29, 2017 at 3:17 AM, Sumit Bose <sb...@redhat.com> wrote:
> > > >
> > > >> On Thu, Sep 28, 2017 at 02:35:55PM -0400, Steve Weeks wrote:
> > > >> > Progress, but still not using the smartcard and falling back to the
> > > >> > password.
> > > >> >
> > > >> > I changed to change the pam_sss line in common-auth too:
> > > >> >
> > > >> > auth    [default=1 success=ok]          pam_localuser.so
> > > >> > auth [success=2 default=ignore] pam_unix.so nullok_secure
> > > >> > #auth [success=1 default=ignore] pam_sss.so use_first_pass
> > > >> > auth    sufficient                      pam_sss.so forward_pass
> > > >> >
> > > >> > Now p11_child is called, but doesn't validate the certificate.  On
> > > >> Fedora
> > > >> > the final line in p11_child.log is "Ceritificate verified and
> > > >> validated".
> > > >> > On Ubuntu that line is missing.
> > > >> >
> > > >> > The root certificate is in the certdb.  (certutil -d /etc/pki/nssdb
> > -L).
> > > >> >
> > > >> > Is there a way to do what p11_child does from the command line or
> > with
> > > >> > better logging so I can what it doesn't like?  I have debug_level =
> > 9 on
> > > >> > everything at the moment.
> > > >>
> > > >>     /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre
> > > >> --nssdb=/etc/pki/nssdb
> > > >>
> > > >> should do the trick.
> > > >>
> > > >> HTH
> > > >>
> > > >> bye,
> > > >> Sumit
> > > >>
> > > >> >
> > > >> > Thanks,
> > > >> > Steve
> > > >> >
> > > >> >
> > > >> > On Thu, Sep 28, 2017 at 12:43 PM, Sumit Bose <sb...@redhat.com>
> > wrote:
> > > >> >
> > > >> > > On Thu, Sep 28, 2017 at 12:13:38PM -0400, Steve Weeks wrote:
> > > >> > > > In all cases on both system pam_unix comes before pam_sss.  For
> > > >> example
> > > >> > > in
> > > >> > > > Fedora system-auth it is:
> > > >> > >
> > > >> > > On recent Fedora systems you should have
> > > >> > >
> > > >> > > auth        [default=1 success=ok] pam_localuser.so
> > > >> > >
> > > >> > > before the lines below. This will call pam_unix only for users
> > from
> > > >> > > /etc/passwd and skip the line it otherwise (default=1). Maybe
> > > >> something
> > > >> > > like this would help on Ubuntu as well?
> > > >> > >
> > > >> > > bye,
> > > >> > > Sumit
> > > >> > >
> > > >> > > >
> > > >> > > > auth        [success=done ignore=ignore default=die] pam_unix.so
> > > >> nullok
> > > >> > > > try_first_pass
> > > >> > > > auth        requisite     pam_succeed_if.so uid >= 1000
> > > >> quiet_success
> > > >> > > > auth        sufficient    pam_sss.so forward_pass
> > > >> > > >
> > > >> > > > and in Ubuntu common-auth it is:
> > > >> > > >
> > > >> > > > auth [success=2 default=ignore] pam_unix.so nullok_secure
> > > >> > > > auth [success=1 default=ignore] pam_sss.so use_first_pass
> > > >> > > >
> > > >> > > > I tried reversing the lines and get a pam error about user not
> > know
> > > >> (it
> > > >> > > is
> > > >> > > > an AD user which works fine on fedora).
> > > >> > > >
> > > >> > > > Also, it looks like pam_pkcs11.so is used in smartcard-auth on
> > > >> Fedora.
> > > >> > > > Don't know if this is relevant or not.
> > > >> > > >
> > > >> > > > Steve
> > > >> > > >
> > > >> > > >
> > > >> > > > On Thu, Sep 28, 2017 at 11:40 AM, Sumit Bose via FreeIPA-users <
> > > >> > > > freeipa-users@lists.fedorahosted.org> wrote:
> > > >> > > >
> > > >> > > > > On Thu, Sep 28, 2017 at 11:29:27AM -0400, Steve Weeks via
> > > >> FreeIPA-users
> > > >> > > > > wrote:
> > > >> > > > > > We have smartcards (PIV) working just fine on Fedora 25 with
> > > >> FreeIPA
> > > >> > > > > client
> > > >> > > > > > version 4.4.4 (SSSD 1.14.2).  However on Ubuntu 16.04,
> > FreeIPA
> > > >> client
> > > >> > > > > > 4.3.1, SSSD 1.13.4 the smartcard seems to be ignored.
> > > >> > > > > >
> > > >> > > > > > The smartcard is readable using pkcs11-tools and
> > pkcs15-tools
> > > >> on both
> > > >> > > > > > systems.
> > > >> > > > > >
> > > >> > > > > > On both systems sssd.conf contains:
> > > >> > > > > > [pam]
> > > >> > > > > > pam_cert_auth = True
> > > >> > > > > >
> > > >> > > > > > I've turned the sssd logging up to 9 on both systems and it
> > > >> looks
> > > >> > > like
> > > >> > > > > > p11_child is never called on the Ubuntu system.  On the
> > Ubuntu
> > > >> system
> > > >> > > > > > p11_child.log is empty and there is no sign of it being
> > started
> > > >> in
> > > >> > > the
> > > >> > > > > > sssd_pam.log.
> > > >> > > > > >
> > > >> > > > > > Any suggestions on what I should look at next?
> > > >> > > > >
> > > >> > > > > How does your PAM configuration looks like? You have to make
> > sure
> > > >> that
> > > >> > > > > pam_sss.so is the first module called for SSSD users. If
> > pam_unix
> > > >> comes
> > > >> > > > > first it will ask for a Password and pass it on to pam_sss.so
> > > >> which
> > > >> > > will
> > > >> > > > > try password authentication in this case.
> > > >> > > > >
> > > >> > > > > HTH
> > > >> > > > >
> > > >> > > > > bye,
> > > >> > > > > Sumit
> > > >> > > > >
> > > >> > > > > >
> > > >> > > > > > Thanks,
> > > >> > > > > > Steve
> > > >> > > > >
> > > >> > > > > > _______________________________________________
> > > >> > > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
> > > >> ed.org
> > > >> > > > > > To unsubscribe send an email to freeipa-users-leave@lists.
> > > >> > > > > fedorahosted.org
> > > >> > > > > _______________________________________________
> > > >> > > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahost
> > > >> ed.org
> > > >> > > > > To unsubscribe send an email to freeipa-users-leave@lists.
> > > >> > > fedorahosted.org
> > > >> > > > >
> > > >> > >
> > > >>
> > > >
> > > >
> >
> >
> >
> >
> >
> >
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to