Sumit Bose wrote:
On Sun, Jul 17, 2016 at 11:21:34PM +0200, Martin Štefany wrote:
On So, 2016-07-16 at 15:37 +0200, Lukas Slebodnik wrote:
On (16/07/16 10:19), Martin Štefany wrote:


Hello Sumit,

seems that upgrade to F24 broke things again. This time no AVCs, empty SSSD
logs, but same problem: 'Error looking up public keys'.

selinux-policy-3.13.1-191.fc24.3.noarch
selinux-policy-targeted-3.13.1-191.fc24.3.noarch
sssd-1.13.4-3.fc24.x86_64

Fedora 23 and fedora 24 has the same version of sssd
and almost the same version of openssh.
I have no idea what coudl broke it it there are not any AVCs.


Using debug_level 0x0250 ::

For troubleshooting, it would be better to see all
debug messages. (debug_level = 0xfff0)

Hello Lukas,

thanks for replying on this, here are debug_level = 0xfff0 messages


...

(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [cert_to_ssh_key] (0x0020):
CERT_VerifyCertificateNow failed [-8179].
(Sun Jul 17 23:17:34 2016) [sssd[ssh]] [decode_and_add_base64_data] (0x0040):
cert_to_ssh_key failed.

-8179 translates to "Peer's certificate issuer is not recognized."
(http://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html).
This means the CA certificate which signed the certificate on the
Smartcard is missing in /etc/pki/nssdb which is used by default by SSSD.

Recent version of IPA put IPA CA certificates only in /etc/ipa/nssdb,
this might be the reason why you see this with F24.

To fix this please either add the needed CA certificates to
/etc/pki/nssdb with certutil or add 'ca_db = /etc/ipa/nssdb' to the
[ssh] section of sssd.conf if /etc/ipa/nssdb already has all needed CA
certificates to validate the Smartcard certificate.

I'm working on a fix for SSSD to handle handle this change
automatically, but unfortunately it is not ready yet.

The client installer should be adding the IPA CA to the system certificate store which should be picked up automagically by OpenSSL and NSS applications. I think I'd start there to see if that happened.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to