> On 23 Jun 2023, at 10:52, Sumit Bose via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Am Fri, Jun 23, 2023 at 09:03:55AM +0200 schrieb Francis Augusto > Medeiros-Logeay via FreeIPA-users: >> >> >>> On 22 Jun 2023, at 14:48, Rob Crittenden via FreeIPA-users >>> <freeipa-users@lists.fedorahosted.org> wrote: >>> >>> Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: >>>> Hi, >>>> >>>> We have an application that requires Active Directory. In order to >>>> provide SSO, the application gets a user certificate from AD and, as I >>>> understand, uses it towards a RHEL machine as a smart card. I installed >>>> AD's ca certificates on the RHEL client and it works when sssd.conf is >>>> all configured towards AD. >>>> >>>> I've joined the client to AD, as I said, but I do want my `id_provider` >>>> in `sssd.conf` to be `ldap` so that it gets my group info from FreeIPA. >>>> But when I do this, the authentication doesn't work. >>>> >>>> Is there a way to either force pam/sssd to check the certificates >>>> against AD while still getting groups and names from ldap, or to get >>>> FreeIPA to approve the certificates? >>>> >>>> I know this might be a very corner case, but if we make it works, this >>>> would be beautiful. >>> >> >> Thanks Rob! >> >>> IMHO you should cross-post this to the SSSD users list as this seems >>> more their area, >>> https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/ >> >> I posted it there first, tbh, but got no reply. >> >>> I think expanding on your configuration would help too. Are you using >>> the IPA certificate mapping to map the AD-issued certificates to an IPA >>> user for authentication? >> >> No. The users are the same on both - same uid, gid, etc, but no connection, >> trust, or anything. >> The mapping on sssd.conf is this one: >> >> [certmap/mydomain.com/truesso] #Add this section and >> following lines to set match and map rule for certificate user >> matchrule = <EKU>msScLogin >> maprule = >> (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) >> domains = mydomain.com >> priority = 10 >> >> When id_provider = ad, it works, but not when it is `ldap`. But the users, >> in principle, are the same. Could it be those attributes that are wrong? > > Hi, > > with 'id_provider = ad' the 'auth_provider' will be 'ad' as well, which > is basically 'auth_provider = krb5' and Smartcard authentication is done > the Kerberos way. With 'id_provider = ldap' the 'auth_provider' will be > 'ldap' as well, so you might have to explicitly add 'auth_provider = > krb5' > > Additionally, the 'maprule' is looking for LDAP attributes, so you IPA > user must at least have the 'userPrincipal' attribute set with the > principal which is stored in the subject alternative names of the > certificate. > > Feel free to add 'debug_level = 9' to the [pam] and [domain/...] > sections of sssd.conf, restart SSSD, try again and send the SSSD logs > here. > > bye, > Sumit
Hi Sumit, It fails on RHEL 9, though - before I was doing it on RHEL 9. I get this: Jun 28 07:21:09 sso-rhel-test krb5_child[3447]: Pre-authentication failed: Preauthentication failed Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: pam_sss(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=francis Jun 28 07:21:09 sso-rhel-test krb5_child[3447]: Pre-authentication failed: Preauthentication failed Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: pam_sss(gdm-password:auth): received for user francis: 7 (Authentication failure) Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: gkr-pam: unable to locate daemon control file Jun 28 07:21:09 sso-rhel-test desktopWorker[2796]: gkr-pam: stashed password to try later in open ses Exact same configuration. Neither password nor certificate works, though password works on ssh. Any tips here? Best, Francis _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue