[Freeipa-users] Re: Authentication indicators smartcard, ssh and sudo

[Sumit Bose via FreeIPA-users]

On Fri, Feb 14, 2020 at 07:36:14PM -0000, Leon Castellano via FreeIPA-users 
wrote:
> Hi,
> 
> Linking works for listing tokens:
> 
> [root@ipaclient 0]# env|grep RUNTIME
> [root@ipaclient 0]# pwd
> /run/user/0
> [root@ipaclient 0]# ls -l
> total 0
> lrwxrwxrwx. 1 root root 22 Feb 14 14:28 p11-kit -> /run/user/<UID>/p11-kit
> [root@ipaclient 0]# p11tool --provider=/usr/lib64/pkcs11/p11-kit-client.so 
> --list-tokens
> Token 0:
>       URL: 
> pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=<REDACTED>;token=PIV_II
>       Label: PIV_II
>       Type: Hardware token
>       Flags: RNG, Requires login
>       Manufacturer: piv_II
>       Model: PKCS#15 emulated
>       Serial: <REDACTED>
>       Module: 
> 
> Unfortunately, sudo still prompts for PW:
> 
> [user@ipaclient][~]$ p11tool --list-tokens
> Token 0:
>       URL: 
> pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
>       Label: System Trust
>       Type: Trust module
>       Flags: uPIN uninitialized
>       Manufacturer: PKCS#11 Kit
>       Model: p11-kit-trust
>       Serial: 1
>       Module: p11-kit-trust.so
> 
> 
> Token 1:
>       URL: 
> pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
>       Label: Default Trust
>       Type: Trust module
>       Flags: uPIN uninitialized
>       Manufacturer: PKCS#11 Kit
>       Model: p11-kit-trust
>       Serial: 1
>       Module: p11-kit-trust.so
> 
> 
> Token 2:
>       URL: 
> pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=<REDACTED>;token=PIV_II
>       Label: PIV_II
>       Type: Hardware token
>       Flags: RNG, Requires login
>       Manufacturer: piv_II
>       Model: PKCS#15 emulated
>       Serial: <REDACTED>
>       Module: /usr/lib64/pkcs11/p11-kit-client.so
> 
> [14:32:09][user@ipaclient][~]$ sudo -i
> [sudo] password for user:

Hi,

can you set 'debug_level = 9' in the [pam] section of sssd.conf, restart
SSSD, try sudo again and send me sssd.conf and the logs files from
/var/log/sssd/?

bye,
Sumit

> 
> Thanks for your time,
> 
> -Leon
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org