Re: [Freeipa-users] RHEL 6.9 AD Smart Card login

[spammewoods]

I made the changes in this Bugzilla report and its still failing. 
When I click on Smartcard Authenication on the GDM login screen,   I get 
the error message "Authentication failure".    It looks like this 
Bugzilla was for IDM users using smart cards.     I'm trying to use 
Active Directory Users and smart cards.

Here is my error log from /var/log/sssd/p11_child.log
(Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] [main] (0x0400): 
p11_child started.
(Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] [main] (0x2000): 
Running in [pre-auth] mode.
(Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] [main] (0x2000): 
Running with effective IDs: [0][0].
(Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] [main] (0x2000): 
Running with real IDs [0][0].
(Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893]]]] 
[parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling 
OCSP.
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): Default Module List:
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): common name: [NSS Internal PKCS #11 Module].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): dll name: [(null)].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): common name: [CoolKey PKCS #11 Module].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): dll name: [libcoolkeypk11.so].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): Dead Module List:
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): DB Module List:
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): common name: [NSS Internal Module].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): dll name: [(null)].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): common name: [Policy File].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): dll name: [(null)].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): Description [NSS User Private Key and Certificate Services 
Mozilla Foundation              ] Manufacturer [Mozilla Foundation 
] flags [1].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): Description [NSS Internal Cryptographic Services 
Mozilla Foundation              ] Manufacturer [Mozilla Foundation 
] flags [1].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): Description [SCM SCR 3310 00 00 
Unknown                         ] Manufacturer [Unknown 
] flags [7].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): Found [SMITH.RYAN.123456] in slot [SCM SCR 3310 00 00][1] of 
module [2].
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): Token is NOT friendly.
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): Trying to switch to friendly to read certificate.
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): Login required.
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x0020): Login required but no pin available, continue.
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): found cert[SMITH.RYAN.123456:PIV ID 
Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME]
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): found cert[SMITH.RYAN.123456:PIV Email Signature 
Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME]
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): found cert[SMITH.RYAN.123456:PIV Email Encryption 
Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME]
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): Filtered certificates:
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): found cert[SMITH.RYAN.123456:PIV ID 
Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME]
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): found cert[SMITH.RYAN.123456:PIV Email Signature 
Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME]
(Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893]]]] [do_work] 
(0x4000): More than one certificate found, using just the first one.


On Fri, Apr 7, 2017 at 4:35 AM, Sumit Bose wrote:

On Thu, Apr 06, 2017 at 06:36:43PM +0000, spammewo...@cox.net wrote:
I have created a two way trust between my IDM server and Active 
Directory.
I have been able to successful get RHEL 7.3 IDM server and RHEL 7.3 
IDM
clients to allow Active Directory login using CAC smart cards into 
Gnome.
I'm using SSSD for the smart card login process instead of authconfig 
and
pkcs11.   I'm currently trying to get the same thing working for RHEL 
6.9,
but I have not been able to get it to work. The latest version of 
SSSD on
RHEL 6.9 is 1.13.3 and from my understanding I need to have at least 
1.14.0
for SSSD to handle AD smart card logins.    So,  I have tried to 
configure

The Smartcard authentication feature was backported to RHEL-6.9.

Please note that the GDM Smartcard feature must be configured
differently in RHEL6 then in RHEL7, details for RHEL-6.9 can e.g. 
found
in https://bugzilla.redhat.com/show_bug.cgi?id=1300421#c13

HTH

bye,
Sumit

pam_pkcs11.conf file to use the pwent mapper to link the Common Name 
(CN) to
the Active Directory User account.   I have created an User ID 
Override for
the AD user and  added CN name from the Certificate on the smart card 
into
the GECOS field.   I also have added all three certificates from the 
CAC
smart card into the User ID Override.

When I try and log in,  I get this error message in /var/log/secure:
Apr  6 13:21:57 site-lws05 pam: gdm-smartcard:
pam_pkcs11(gdm-smartcard:auth): pam_get_pwd() failed: Conversation 
error
Apr  6 13:22:17 site-lws05 pam: gdm-smartcard:
pam_pkcs11(gdm-smartcard:auth): find_user() failed:  on cert #1
Apr  6 13:22:17 site-lws05 pam: gdm-smartcard:
pam_pkcs11(gdm-smartcard:auth): find_user() failed:  on cert #2
Apr  6 13:22:17 site-lws05 pam: gdm-smartcard:
pam_pkcs11(gdm-smartcard:auth): no valid certificate which meets all
requirements found

Here is the some details:
IDM Domain: idm.domain.local
Windows Domain: domain.local
RHEL 7.3 IDM Server: site-idm01.idm.domain.local
RHEL 6.9 IDM Client : site-lws05.idm.domain.local

When I run the getent command on local accounts and IDM accounts I 
get user
details,  but when I run the command on AD accounts it doesn't find 
them.
So,  I'm wondering if that's why its not finding the CN name in the 
GECOS
field.    I'm trying to avoid using the cn_map on the clients, 
because we
have a large amount of users and thats alot of extra work to manage 
that
file.    That's why I wanted to use the pwent mapper.
Here is my SSSD config file from the RHEL 6.9 client:
[domain/idm.domain.local]
override_shell = /bin/bash
debug_level = 9
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = idm.domain.local
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = site-lws05.idm.domain.local
chpass_provider = ipa
ipa_server = _srv_, site-idm01.idm.domain.local
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
debug_level = 9
services = nss, sudo, pam, ssh, ifp
domains = idm.domain.local
certificate_verification = no_ocsp
ldap_user_certificate = userCertificate;binary
[nss]
debug_level = 9
homedir_substring = /home
[pam]
debug_level = 9
pam_cert_auth = True
[sudo]
debug_level = 9
[autofs]
debug_level = 9
[ssh]
debug_level = 9
[pac]
debug_level = 9
[ifp]
debug_level = 9

Here is my nssswitch file from the RHEL 6.9 client:
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called 
YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to 
be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis
passwd:     files sss
shadow:     files sss
group:      files sss
#hosts:     db files nisplus nis dns
hosts:      files dns
# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss
netgroup:   files sss
publickey:  nisplus
automount:  files sss
aliases:    files nisplus
sudoers: files sss

Here is my system-auth from the RHEL 6.9 client:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [success=1 default=ignore] pam_succeed_if.so service 
notin
login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet 
use_uid
auth        [success=done authinfo_unavail=ignore ignore=ignore 
default=die]
pam_pkcs11.so card_only
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3 
type=
password    sufficient    pam_unix.so sha512 shadow nullok 
try_first_pass
use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in 
crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

Here is my password-auth from the RHEL 6.9 client:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3 
type=
password    sufficient    pam_unix.so sha512 shadow nullok 
try_first_pass
use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in 
crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

Here is my smartcard-auth from the RHEL 6.9 client:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [success=done ignore=ignore default=die] pam_pkcs11.so
wait_for_card card_only
auth        required      pam_deny.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so
password    required      pam_pkcs11.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in 
crond
quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project