subject:"\[SSSD\-users\] Re\: p11_child showing certificate on smart card not valid"

[SSSD-users] Re: p11_child showing certificate on smart card not valid

2017-10-20 Thread Winberg, Adam

ok, I see. thanks for fast reply!

//Adam

2017-10-20 16:33 GMT+02:00 Sumit Bose :

> On Thu, Oct 19, 2017 at 12:39:15PM +0200, Winberg, Adam wrote:
> > Thanks a bunch, disabling oscp verification works (and to test with
> > p11_child you can set the parameter '--verify=no_ocsp').
> >
> > So, now I can see in debug logs that sssd finds my smartcard certificate
> > but now it fails trying to verify it against the provider (AD). So what
> are
> > the requirements for this to work on 7.4? This page:
> >
> > http://rhelblog.redhat.com/2017/09/26/smart-card-support-
> in-red-hat-enterprise-linux/
> >
> > implies that it is not longer necessary to store the entire certificate
> for
> > the user in AD. It instead mentions a 'special attribute' but there is no
> > detailed information about it there. Is there any more documentation
> about
> > this?
>
> I'm sorry, the configurable mapping is currently only availble when
> running SSSD on IPA clients. So far I didn't found the time to make the
> needed configuration options available to the AD and plain LDAP
> provider. So with these you still have to add the certificate to the
> user entry.
>
> bye,
> Sumit
>
> >
> > Thanks,
> > Adam
> >
> >
> > 2017-10-19 11:19 GMT+02:00 Sumit Bose :
> >
> > > On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote:
> > > > I'm trying to get smartcard auth working with sssd on RHEL 7.4. We
> > > > currently use a pam_pkcs11/pam_krb5 setup and I was hoping to
> simplify
> > > this
> > > > by using sssd instead. Unfortunately I cant get it to work, sssd
> does not
> > > > seem to detect my smartcard certificate.
> > > >
> > > > Running p11_child I get the following:
> > > >
> > > > $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2
> > > > --nssdb=/etc/pki/nssdb --pin
> > > > (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320 [main]
> > > > (0x0400): p11_child started.
> > > > (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320 [main]
> > > > (0x2000): Running in [pre-auth] mode.
> > > > (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320 [main]
> > > > (0x2000): Running with effective IDs: [0][0].
> > > > (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320 [main]
> > > > (0x2000): Running with real IDs [0][0].
> > > > (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): Default Module List:
> > > > (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): common name: [NSS Internal PKCS #11 Module].
> > > > (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): dll name: [(null)].
> > > > (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): common name: [p11-kit-trust].
> > > > (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so].
> > > > (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): common name: [OpenSC PKCS #11 Module].
> > > > (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so].
> > > > (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): Dead Module List:
> > > > (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): DB Module List:
> > > > (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): common name: [NSS Internal Module].
> > > > (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): dll name: [(null)].
> > > > (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): common name: [Policy File].
> > > > (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): dll name: [(null)].
> > > > (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): Description [NSS User Private Key and Certificate Services
> > > >Mozilla Foundation  ] Manufacturer [Mozilla
> > > > Foundation  ] flags [1].
> > > > (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): Description [NSS Internal Cryptographic Services
> > > >Mozilla Foundation  ] Manufacturer [Mozilla
> > > > Foundation  ] flags [1].
> > > > (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): Description [/usr/share/pki/ca-trust-source
> > > > PKCS#11 Kit  ] Manufacturer [PKCS#11
> Kit
> > > >   ] flags [1].
> > > > (Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320 [do_work]
> > > > (0x4000): Description [/etc/pki/ca-trust/source
> > > > PKCS#11 Kit  ] Manufacturer [PKCS#11
> Kit
> > > >   ] flags [1].

[SSSD-users] Re: p11_child showing certificate on smart card not valid

2017-10-20 Thread Sumit Bose

On Thu, Oct 19, 2017 at 12:39:15PM +0200, Winberg, Adam wrote:
> Thanks a bunch, disabling oscp verification works (and to test with
> p11_child you can set the parameter '--verify=no_ocsp').
> 
> So, now I can see in debug logs that sssd finds my smartcard certificate
> but now it fails trying to verify it against the provider (AD). So what are
> the requirements for this to work on 7.4? This page:
> 
> http://rhelblog.redhat.com/2017/09/26/smart-card-support-in-red-hat-enterprise-linux/
> 
> implies that it is not longer necessary to store the entire certificate for
> the user in AD. It instead mentions a 'special attribute' but there is no
> detailed information about it there. Is there any more documentation about
> this?

I'm sorry, the configurable mapping is currently only availble when
running SSSD on IPA clients. So far I didn't found the time to make the
needed configuration options available to the AD and plain LDAP
provider. So with these you still have to add the certificate to the
user entry.

bye,
Sumit

> 
> Thanks,
> Adam
> 
> 
> 2017-10-19 11:19 GMT+02:00 Sumit Bose :
> 
> > On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote:
> > > I'm trying to get smartcard auth working with sssd on RHEL 7.4. We
> > > currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify
> > this
> > > by using sssd instead. Unfortunately I cant get it to work, sssd does not
> > > seem to detect my smartcard certificate.
> > >
> > > Running p11_child I get the following:
> > >
> > > $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2
> > > --nssdb=/etc/pki/nssdb --pin
> > > (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320 [main]
> > > (0x0400): p11_child started.
> > > (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320 [main]
> > > (0x2000): Running in [pre-auth] mode.
> > > (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320 [main]
> > > (0x2000): Running with effective IDs: [0][0].
> > > (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320 [main]
> > > (0x2000): Running with real IDs [0][0].
> > > (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): Default Module List:
> > > (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): common name: [NSS Internal PKCS #11 Module].
> > > (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): dll name: [(null)].
> > > (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): common name: [p11-kit-trust].
> > > (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so].
> > > (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): common name: [OpenSC PKCS #11 Module].
> > > (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so].
> > > (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): Dead Module List:
> > > (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): DB Module List:
> > > (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): common name: [NSS Internal Module].
> > > (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): dll name: [(null)].
> > > (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): common name: [Policy File].
> > > (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): dll name: [(null)].
> > > (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): Description [NSS User Private Key and Certificate Services
> > >Mozilla Foundation  ] Manufacturer [Mozilla
> > > Foundation  ] flags [1].
> > > (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): Description [NSS Internal Cryptographic Services
> > >Mozilla Foundation  ] Manufacturer [Mozilla
> > > Foundation  ] flags [1].
> > > (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): Description [/usr/share/pki/ca-trust-source
> > > PKCS#11 Kit  ] Manufacturer [PKCS#11 Kit
> > >   ] flags [1].
> > > (Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): Description [/etc/pki/ca-trust/source
> > > PKCS#11 Kit  ] Manufacturer [PKCS#11 Kit
> > >   ] flags [1].
> > > (Thu Oct 19 10:43:20:772245 2017) [[sssd[p11_child[6320 [do_work]
> > > (0x4000): Description [Alcor Micro AU9540 00 00
> > > Generic ] Manufacturer [Generic
> > >  ] flags [7].
> > > (Thu Oct 19 10:43:20:772290 2017)

[SSSD-users] Re: p11_child showing certificate on smart card not valid

2017-10-19 Thread Joakim Tjernlund

On Thu, 2017-10-19 at 14:13 +0200, Winberg, Adam wrote:
> 
> Got smartcard auth working once I added my smart card cert to my user account 
> in AD. So thats good! Kerberos/pkinit seems to work also (I already had that 
> setup to work with pam_krb5 before), also good!
> 
> But is adding the smartcard cert to AD accounts the 'correct' way to go about 
> this or is there something new and better/easier, as the blog post hinted 
> about?
> 
> //Adam

I have heard one can get/use certificates from Windows AD which can be use for 
WiFi sign on. I have no
idea how get one(certificate that is). Is the some interface/service I can use?

 Jocke
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: p11_child showing certificate on smart card not valid

2017-10-19 Thread Winberg, Adam

Got smartcard auth working once I added my smart card cert to my user
account in AD. So thats good! Kerberos/pkinit seems to work also (I already
had that setup to work with pam_krb5 before), also good!

But is adding the smartcard cert to AD accounts the 'correct' way to go
about this or is there something new and better/easier, as the blog post
hinted about?

//Adam

2017-10-19 13:17 GMT+02:00 Winberg, Adam :

> I've been debugging the OCSP issue as well and we can see that the OCSP
> server responds to the request. This response is signed by a cert which is
> issued by our CA, and that cert is indeed in my nssdb. So should this not
> work? Do I have to have the actual OCSP server cert in nssdb, does
> certificate chaining not work here?
>
> Regards
> Adam
>
> 2017-10-19 12:39 GMT+02:00 Winberg, Adam :
>
>> Thanks a bunch, disabling oscp verification works (and to test with
>> p11_child you can set the parameter '--verify=no_ocsp').
>>
>> So, now I can see in debug logs that sssd finds my smartcard certificate
>> but now it fails trying to verify it against the provider (AD). So what are
>> the requirements for this to work on 7.4? This page:
>>
>> http://rhelblog.redhat.com/2017/09/26/smart-card-support-in-
>> red-hat-enterprise-linux/
>>
>> implies that it is not longer necessary to store the entire certificate
>> for the user in AD. It instead mentions a 'special attribute' but there is
>> no detailed information about it there. Is there any more documentation
>> about this?
>>
>> Thanks,
>> Adam
>>
>>
>> 2017-10-19 11:19 GMT+02:00 Sumit Bose :
>>
>>> On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote:
>>> > I'm trying to get smartcard auth working with sssd on RHEL 7.4. We
>>> > currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify
>>> this
>>> > by using sssd instead. Unfortunately I cant get it to work, sssd does
>>> not
>>> > seem to detect my smartcard certificate.
>>> >
>>> > Running p11_child I get the following:
>>> >
>>> > $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2
>>> > --nssdb=/etc/pki/nssdb --pin
>>> > (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320 [main]
>>> > (0x0400): p11_child started.
>>> > (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320 [main]
>>> > (0x2000): Running in [pre-auth] mode.
>>> > (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320 [main]
>>> > (0x2000): Running with effective IDs: [0][0].
>>> > (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320 [main]
>>> > (0x2000): Running with real IDs [0][0].
>>> > (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320 [do_work]
>>> > (0x4000): Default Module List:
>>> > (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320 [do_work]
>>> > (0x4000): common name: [NSS Internal PKCS #11 Module].
>>> > (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320 [do_work]
>>> > (0x4000): dll name: [(null)].
>>> > (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320 [do_work]
>>> > (0x4000): common name: [p11-kit-trust].
>>> > (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320 [do_work]
>>> > (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so].
>>> > (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320 [do_work]
>>> > (0x4000): common name: [OpenSC PKCS #11 Module].
>>> > (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320 [do_work]
>>> > (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so].
>>> > (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320 [do_work]
>>> > (0x4000): Dead Module List:
>>> > (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320 [do_work]
>>> > (0x4000): DB Module List:
>>> > (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320 [do_work]
>>> > (0x4000): common name: [NSS Internal Module].
>>> > (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320 [do_work]
>>> > (0x4000): dll name: [(null)].
>>> > (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320 [do_work]
>>> > (0x4000): common name: [Policy File].
>>> > (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320 [do_work]
>>> > (0x4000): dll name: [(null)].
>>> > (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320 [do_work]
>>> > (0x4000): Description [NSS User Private Key and Certificate Services
>>> >Mozilla Foundation  ] Manufacturer [Mozilla
>>> > Foundation  ] flags [1].
>>> > (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320 [do_work]
>>> > (0x4000): Description [NSS Internal Cryptographic Services
>>> >Mozilla Foundation  ] Manufacturer [Mozilla
>>> > Foundation  ] flags [1].
>>> > (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320 [do_work]
>>> > (0x4000): Description [/usr/share/pki/ca-trust-source
>>> > PKCS#11 Kit  ] Manufacturer [PKCS#11
>>> Kit
>>> >   ] flags [1].
>>> > (Thu

[SSSD-users] Re: p11_child showing certificate on smart card not valid

2017-10-19 Thread Winberg, Adam

I've been debugging the OCSP issue as well and we can see that the OCSP
server responds to the request. This response is signed by a cert which is
issued by our CA, and that cert is indeed in my nssdb. So should this not
work? Do I have to have the actual OCSP server cert in nssdb, does
certificate chaining not work here?

Regards
Adam

2017-10-19 12:39 GMT+02:00 Winberg, Adam :

> Thanks a bunch, disabling oscp verification works (and to test with
> p11_child you can set the parameter '--verify=no_ocsp').
>
> So, now I can see in debug logs that sssd finds my smartcard certificate
> but now it fails trying to verify it against the provider (AD). So what are
> the requirements for this to work on 7.4? This page:
>
> http://rhelblog.redhat.com/2017/09/26/smart-card-support-
> in-red-hat-enterprise-linux/
>
> implies that it is not longer necessary to store the entire certificate
> for the user in AD. It instead mentions a 'special attribute' but there is
> no detailed information about it there. Is there any more documentation
> about this?
>
> Thanks,
> Adam
>
>
> 2017-10-19 11:19 GMT+02:00 Sumit Bose :
>
>> On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote:
>> > I'm trying to get smartcard auth working with sssd on RHEL 7.4. We
>> > currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify
>> this
>> > by using sssd instead. Unfortunately I cant get it to work, sssd does
>> not
>> > seem to detect my smartcard certificate.
>> >
>> > Running p11_child I get the following:
>> >
>> > $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2
>> > --nssdb=/etc/pki/nssdb --pin
>> > (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320 [main]
>> > (0x0400): p11_child started.
>> > (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320 [main]
>> > (0x2000): Running in [pre-auth] mode.
>> > (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320 [main]
>> > (0x2000): Running with effective IDs: [0][0].
>> > (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320 [main]
>> > (0x2000): Running with real IDs [0][0].
>> > (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): Default Module List:
>> > (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): common name: [NSS Internal PKCS #11 Module].
>> > (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): dll name: [(null)].
>> > (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): common name: [p11-kit-trust].
>> > (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so].
>> > (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): common name: [OpenSC PKCS #11 Module].
>> > (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so].
>> > (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): Dead Module List:
>> > (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): DB Module List:
>> > (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): common name: [NSS Internal Module].
>> > (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): dll name: [(null)].
>> > (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): common name: [Policy File].
>> > (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): dll name: [(null)].
>> > (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): Description [NSS User Private Key and Certificate Services
>> >Mozilla Foundation  ] Manufacturer [Mozilla
>> > Foundation  ] flags [1].
>> > (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): Description [NSS Internal Cryptographic Services
>> >Mozilla Foundation  ] Manufacturer [Mozilla
>> > Foundation  ] flags [1].
>> > (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): Description [/usr/share/pki/ca-trust-source
>> > PKCS#11 Kit  ] Manufacturer [PKCS#11 Kit
>> >   ] flags [1].
>> > (Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): Description [/etc/pki/ca-trust/source
>> > PKCS#11 Kit  ] Manufacturer [PKCS#11 Kit
>> >   ] flags [1].
>> > (Thu Oct 19 10:43:20:772245 2017) [[sssd[p11_child[6320 [do_work]
>> > (0x4000): Description [Alcor Micro AU9540 00 00
>> > Generic ] Manufacturer [Generic
>> >  ] flags [7].
>> > (Thu Oct 19 10:43:20:772290 2017) [[sssd[p11_child[6320 [do_work]

[SSSD-users] Re: p11_child showing certificate on smart card not valid

2017-10-19 Thread Winberg, Adam

Thanks a bunch, disabling oscp verification works (and to test with
p11_child you can set the parameter '--verify=no_ocsp').

So, now I can see in debug logs that sssd finds my smartcard certificate
but now it fails trying to verify it against the provider (AD). So what are
the requirements for this to work on 7.4? This page:

http://rhelblog.redhat.com/2017/09/26/smart-card-support-in-red-hat-enterprise-linux/

implies that it is not longer necessary to store the entire certificate for
the user in AD. It instead mentions a 'special attribute' but there is no
detailed information about it there. Is there any more documentation about
this?

Thanks,
Adam


2017-10-19 11:19 GMT+02:00 Sumit Bose :

> On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote:
> > I'm trying to get smartcard auth working with sssd on RHEL 7.4. We
> > currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify
> this
> > by using sssd instead. Unfortunately I cant get it to work, sssd does not
> > seem to detect my smartcard certificate.
> >
> > Running p11_child I get the following:
> >
> > $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2
> > --nssdb=/etc/pki/nssdb --pin
> > (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320 [main]
> > (0x0400): p11_child started.
> > (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320 [main]
> > (0x2000): Running in [pre-auth] mode.
> > (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320 [main]
> > (0x2000): Running with effective IDs: [0][0].
> > (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320 [main]
> > (0x2000): Running with real IDs [0][0].
> > (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): Default Module List:
> > (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): common name: [NSS Internal PKCS #11 Module].
> > (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): dll name: [(null)].
> > (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): common name: [p11-kit-trust].
> > (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so].
> > (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): common name: [OpenSC PKCS #11 Module].
> > (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so].
> > (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): Dead Module List:
> > (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): DB Module List:
> > (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): common name: [NSS Internal Module].
> > (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): dll name: [(null)].
> > (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): common name: [Policy File].
> > (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): dll name: [(null)].
> > (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): Description [NSS User Private Key and Certificate Services
> >Mozilla Foundation  ] Manufacturer [Mozilla
> > Foundation  ] flags [1].
> > (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): Description [NSS Internal Cryptographic Services
> >Mozilla Foundation  ] Manufacturer [Mozilla
> > Foundation  ] flags [1].
> > (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): Description [/usr/share/pki/ca-trust-source
> > PKCS#11 Kit  ] Manufacturer [PKCS#11 Kit
> >   ] flags [1].
> > (Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): Description [/etc/pki/ca-trust/source
> > PKCS#11 Kit  ] Manufacturer [PKCS#11 Kit
> >   ] flags [1].
> > (Thu Oct 19 10:43:20:772245 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): Description [Alcor Micro AU9540 00 00
> > Generic ] Manufacturer [Generic
> >  ] flags [7].
> > (Thu Oct 19 10:43:20:772290 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): Found [identification (Instant EID IP9)] in slot [Alcor Micro
> > AU9540 00 00][0] of module [3][/usr/lib64/pkcs11/opensc-pkcs11.so].
> > (Thu Oct 19 10:43:20:772320 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): Token is NOT friendly.
> > (Thu Oct 19 10:43:20:772346 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): Trying to switch to friendly to read certificate.
> > (Thu Oct 19 10:43:20:772372 2017) [[sssd[p11_child[6320 [do_work]
> > (0x4000): Login required.
> > (Thu

[SSSD-users] Re: p11_child showing certificate on smart card not valid

2017-10-19 Thread Sumit Bose

On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote:
> I'm trying to get smartcard auth working with sssd on RHEL 7.4. We
> currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify this
> by using sssd instead. Unfortunately I cant get it to work, sssd does not
> seem to detect my smartcard certificate.
> 
> Running p11_child I get the following:
> 
> $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2
> --nssdb=/etc/pki/nssdb --pin
> (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320 [main]
> (0x0400): p11_child started.
> (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320 [main]
> (0x2000): Running in [pre-auth] mode.
> (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320 [main]
> (0x2000): Running with effective IDs: [0][0].
> (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320 [main]
> (0x2000): Running with real IDs [0][0].
> (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): Default Module List:
> (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): common name: [NSS Internal PKCS #11 Module].
> (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): dll name: [(null)].
> (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): common name: [p11-kit-trust].
> (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so].
> (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): common name: [OpenSC PKCS #11 Module].
> (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so].
> (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): Dead Module List:
> (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): DB Module List:
> (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): common name: [NSS Internal Module].
> (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): dll name: [(null)].
> (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): common name: [Policy File].
> (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): dll name: [(null)].
> (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): Description [NSS User Private Key and Certificate Services
>Mozilla Foundation  ] Manufacturer [Mozilla
> Foundation  ] flags [1].
> (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): Description [NSS Internal Cryptographic Services
>Mozilla Foundation  ] Manufacturer [Mozilla
> Foundation  ] flags [1].
> (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): Description [/usr/share/pki/ca-trust-source
> PKCS#11 Kit  ] Manufacturer [PKCS#11 Kit
>   ] flags [1].
> (Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): Description [/etc/pki/ca-trust/source
> PKCS#11 Kit  ] Manufacturer [PKCS#11 Kit
>   ] flags [1].
> (Thu Oct 19 10:43:20:772245 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): Description [Alcor Micro AU9540 00 00
> Generic ] Manufacturer [Generic
>  ] flags [7].
> (Thu Oct 19 10:43:20:772290 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): Found [identification (Instant EID IP9)] in slot [Alcor Micro
> AU9540 00 00][0] of module [3][/usr/lib64/pkcs11/opensc-pkcs11.so].
> (Thu Oct 19 10:43:20:772320 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): Token is NOT friendly.
> (Thu Oct 19 10:43:20:772346 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): Trying to switch to friendly to read certificate.
> (Thu Oct 19 10:43:20:772372 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): Login required.
> (Thu Oct 19 10:43:20:772397 2017) [[sssd[p11_child[6320 [do_work]
> (0x0020): Login required but no pin available, continue.
> (Thu Oct 19 10:43:20:773994 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): found cert[identification (Instant EID
> IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com]
> (Thu Oct 19 10:43:20:774071 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): Filtered certificates:
> (Thu Oct 19 10:43:20:774167 2017) [[sssd[p11_child[6320 [do_work]
> (0x4000): found cert[identification (Instant EID
> IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com]
> (Thu Oct 19 10:43:20:804677 2017) [[sssd[p11_child[6320 [do_work]
> (0x0040): Certificate [identification (Instant EID
> IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] not valid [-8062],
> skipping.
> (Thu Oct 19 10:43:20:804857 2017) [[sssd[p11_child[6320

[SSSD-users] Re: p11_child showing certificate on smart card not valid

[SSSD-users] Re: p11_child showing certificate on smart card not valid

[SSSD-users] Re: p11_child showing certificate on smart card not valid

[SSSD-users] Re: p11_child showing certificate on smart card not valid

[SSSD-users] Re: p11_child showing certificate on smart card not valid

[SSSD-users] Re: p11_child showing certificate on smart card not valid

[SSSD-users] Re: p11_child showing certificate on smart card not valid

7 matches

Site Navigation

Mail list logo

Footer information