[SSSD-users] Re: p11_child showing certificate on smart card not valid
ok, I see. thanks for fast reply! //Adam 2017-10-20 16:33 GMT+02:00 Sumit Bose: > On Thu, Oct 19, 2017 at 12:39:15PM +0200, Winberg, Adam wrote: > > Thanks a bunch, disabling oscp verification works (and to test with > > p11_child you can set the parameter '--verify=no_ocsp'). > > > > So, now I can see in debug logs that sssd finds my smartcard certificate > > but now it fails trying to verify it against the provider (AD). So what > are > > the requirements for this to work on 7.4? This page: > > > > http://rhelblog.redhat.com/2017/09/26/smart-card-support- > in-red-hat-enterprise-linux/ > > > > implies that it is not longer necessary to store the entire certificate > for > > the user in AD. It instead mentions a 'special attribute' but there is no > > detailed information about it there. Is there any more documentation > about > > this? > > I'm sorry, the configurable mapping is currently only availble when > running SSSD on IPA clients. So far I didn't found the time to make the > needed configuration options available to the AD and plain LDAP > provider. So with these you still have to add the certificate to the > user entry. > > bye, > Sumit > > > > > Thanks, > > Adam > > > > > > 2017-10-19 11:19 GMT+02:00 Sumit Bose : > > > > > On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote: > > > > I'm trying to get smartcard auth working with sssd on RHEL 7.4. We > > > > currently use a pam_pkcs11/pam_krb5 setup and I was hoping to > simplify > > > this > > > > by using sssd instead. Unfortunately I cant get it to work, sssd > does not > > > > seem to detect my smartcard certificate. > > > > > > > > Running p11_child I get the following: > > > > > > > > $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 > > > > --nssdb=/etc/pki/nssdb --pin > > > > (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320 [main] > > > > (0x0400): p11_child started. > > > > (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320 [main] > > > > (0x2000): Running in [pre-auth] mode. > > > > (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320 [main] > > > > (0x2000): Running with effective IDs: [0][0]. > > > > (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320 [main] > > > > (0x2000): Running with real IDs [0][0]. > > > > (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): Default Module List: > > > > (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): common name: [NSS Internal PKCS #11 Module]. > > > > (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): dll name: [(null)]. > > > > (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): common name: [p11-kit-trust]. > > > > (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so]. > > > > (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): common name: [OpenSC PKCS #11 Module]. > > > > (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so]. > > > > (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): Dead Module List: > > > > (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): DB Module List: > > > > (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): common name: [NSS Internal Module]. > > > > (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): dll name: [(null)]. > > > > (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): common name: [Policy File]. > > > > (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): dll name: [(null)]. > > > > (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): Description [NSS User Private Key and Certificate Services > > > >Mozilla Foundation ] Manufacturer [Mozilla > > > > Foundation ] flags [1]. > > > > (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): Description [NSS Internal Cryptographic Services > > > >Mozilla Foundation ] Manufacturer [Mozilla > > > > Foundation ] flags [1]. > > > > (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): Description [/usr/share/pki/ca-trust-source > > > > PKCS#11 Kit ] Manufacturer [PKCS#11 > Kit > > > > ] flags [1]. > > > > (Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320 [do_work] > > > > (0x4000): Description [/etc/pki/ca-trust/source > > > > PKCS#11 Kit ] Manufacturer [PKCS#11 > Kit > > > > ] flags [1].
[SSSD-users] Re: p11_child showing certificate on smart card not valid
On Thu, Oct 19, 2017 at 12:39:15PM +0200, Winberg, Adam wrote: > Thanks a bunch, disabling oscp verification works (and to test with > p11_child you can set the parameter '--verify=no_ocsp'). > > So, now I can see in debug logs that sssd finds my smartcard certificate > but now it fails trying to verify it against the provider (AD). So what are > the requirements for this to work on 7.4? This page: > > http://rhelblog.redhat.com/2017/09/26/smart-card-support-in-red-hat-enterprise-linux/ > > implies that it is not longer necessary to store the entire certificate for > the user in AD. It instead mentions a 'special attribute' but there is no > detailed information about it there. Is there any more documentation about > this? I'm sorry, the configurable mapping is currently only availble when running SSSD on IPA clients. So far I didn't found the time to make the needed configuration options available to the AD and plain LDAP provider. So with these you still have to add the certificate to the user entry. bye, Sumit > > Thanks, > Adam > > > 2017-10-19 11:19 GMT+02:00 Sumit Bose: > > > On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote: > > > I'm trying to get smartcard auth working with sssd on RHEL 7.4. We > > > currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify > > this > > > by using sssd instead. Unfortunately I cant get it to work, sssd does not > > > seem to detect my smartcard certificate. > > > > > > Running p11_child I get the following: > > > > > > $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 > > > --nssdb=/etc/pki/nssdb --pin > > > (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320 [main] > > > (0x0400): p11_child started. > > > (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320 [main] > > > (0x2000): Running in [pre-auth] mode. > > > (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320 [main] > > > (0x2000): Running with effective IDs: [0][0]. > > > (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320 [main] > > > (0x2000): Running with real IDs [0][0]. > > > (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): Default Module List: > > > (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): common name: [NSS Internal PKCS #11 Module]. > > > (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): dll name: [(null)]. > > > (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): common name: [p11-kit-trust]. > > > (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so]. > > > (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): common name: [OpenSC PKCS #11 Module]. > > > (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so]. > > > (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): Dead Module List: > > > (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): DB Module List: > > > (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): common name: [NSS Internal Module]. > > > (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): dll name: [(null)]. > > > (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): common name: [Policy File]. > > > (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): dll name: [(null)]. > > > (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): Description [NSS User Private Key and Certificate Services > > >Mozilla Foundation ] Manufacturer [Mozilla > > > Foundation ] flags [1]. > > > (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): Description [NSS Internal Cryptographic Services > > >Mozilla Foundation ] Manufacturer [Mozilla > > > Foundation ] flags [1]. > > > (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): Description [/usr/share/pki/ca-trust-source > > > PKCS#11 Kit ] Manufacturer [PKCS#11 Kit > > > ] flags [1]. > > > (Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): Description [/etc/pki/ca-trust/source > > > PKCS#11 Kit ] Manufacturer [PKCS#11 Kit > > > ] flags [1]. > > > (Thu Oct 19 10:43:20:772245 2017) [[sssd[p11_child[6320 [do_work] > > > (0x4000): Description [Alcor Micro AU9540 00 00 > > > Generic ] Manufacturer [Generic > > > ] flags [7]. > > > (Thu Oct 19 10:43:20:772290 2017)
[SSSD-users] Re: p11_child showing certificate on smart card not valid
On Thu, 2017-10-19 at 14:13 +0200, Winberg, Adam wrote: > > Got smartcard auth working once I added my smart card cert to my user account > in AD. So thats good! Kerberos/pkinit seems to work also (I already had that > setup to work with pam_krb5 before), also good! > > But is adding the smartcard cert to AD accounts the 'correct' way to go about > this or is there something new and better/easier, as the blog post hinted > about? > > //Adam I have heard one can get/use certificates from Windows AD which can be use for WiFi sign on. I have no idea how get one(certificate that is). Is the some interface/service I can use? Jocke ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
[SSSD-users] Re: p11_child showing certificate on smart card not valid
Got smartcard auth working once I added my smart card cert to my user account in AD. So thats good! Kerberos/pkinit seems to work also (I already had that setup to work with pam_krb5 before), also good! But is adding the smartcard cert to AD accounts the 'correct' way to go about this or is there something new and better/easier, as the blog post hinted about? //Adam 2017-10-19 13:17 GMT+02:00 Winberg, Adam: > I've been debugging the OCSP issue as well and we can see that the OCSP > server responds to the request. This response is signed by a cert which is > issued by our CA, and that cert is indeed in my nssdb. So should this not > work? Do I have to have the actual OCSP server cert in nssdb, does > certificate chaining not work here? > > Regards > Adam > > 2017-10-19 12:39 GMT+02:00 Winberg, Adam : > >> Thanks a bunch, disabling oscp verification works (and to test with >> p11_child you can set the parameter '--verify=no_ocsp'). >> >> So, now I can see in debug logs that sssd finds my smartcard certificate >> but now it fails trying to verify it against the provider (AD). So what are >> the requirements for this to work on 7.4? This page: >> >> http://rhelblog.redhat.com/2017/09/26/smart-card-support-in- >> red-hat-enterprise-linux/ >> >> implies that it is not longer necessary to store the entire certificate >> for the user in AD. It instead mentions a 'special attribute' but there is >> no detailed information about it there. Is there any more documentation >> about this? >> >> Thanks, >> Adam >> >> >> 2017-10-19 11:19 GMT+02:00 Sumit Bose : >> >>> On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote: >>> > I'm trying to get smartcard auth working with sssd on RHEL 7.4. We >>> > currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify >>> this >>> > by using sssd instead. Unfortunately I cant get it to work, sssd does >>> not >>> > seem to detect my smartcard certificate. >>> > >>> > Running p11_child I get the following: >>> > >>> > $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 >>> > --nssdb=/etc/pki/nssdb --pin >>> > (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320 [main] >>> > (0x0400): p11_child started. >>> > (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320 [main] >>> > (0x2000): Running in [pre-auth] mode. >>> > (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320 [main] >>> > (0x2000): Running with effective IDs: [0][0]. >>> > (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320 [main] >>> > (0x2000): Running with real IDs [0][0]. >>> > (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320 [do_work] >>> > (0x4000): Default Module List: >>> > (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320 [do_work] >>> > (0x4000): common name: [NSS Internal PKCS #11 Module]. >>> > (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320 [do_work] >>> > (0x4000): dll name: [(null)]. >>> > (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320 [do_work] >>> > (0x4000): common name: [p11-kit-trust]. >>> > (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320 [do_work] >>> > (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so]. >>> > (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320 [do_work] >>> > (0x4000): common name: [OpenSC PKCS #11 Module]. >>> > (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320 [do_work] >>> > (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so]. >>> > (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320 [do_work] >>> > (0x4000): Dead Module List: >>> > (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320 [do_work] >>> > (0x4000): DB Module List: >>> > (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320 [do_work] >>> > (0x4000): common name: [NSS Internal Module]. >>> > (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320 [do_work] >>> > (0x4000): dll name: [(null)]. >>> > (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320 [do_work] >>> > (0x4000): common name: [Policy File]. >>> > (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320 [do_work] >>> > (0x4000): dll name: [(null)]. >>> > (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320 [do_work] >>> > (0x4000): Description [NSS User Private Key and Certificate Services >>> >Mozilla Foundation ] Manufacturer [Mozilla >>> > Foundation ] flags [1]. >>> > (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320 [do_work] >>> > (0x4000): Description [NSS Internal Cryptographic Services >>> >Mozilla Foundation ] Manufacturer [Mozilla >>> > Foundation ] flags [1]. >>> > (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320 [do_work] >>> > (0x4000): Description [/usr/share/pki/ca-trust-source >>> > PKCS#11 Kit ] Manufacturer [PKCS#11 >>> Kit >>> > ] flags [1]. >>> > (Thu
[SSSD-users] Re: p11_child showing certificate on smart card not valid
I've been debugging the OCSP issue as well and we can see that the OCSP server responds to the request. This response is signed by a cert which is issued by our CA, and that cert is indeed in my nssdb. So should this not work? Do I have to have the actual OCSP server cert in nssdb, does certificate chaining not work here? Regards Adam 2017-10-19 12:39 GMT+02:00 Winberg, Adam: > Thanks a bunch, disabling oscp verification works (and to test with > p11_child you can set the parameter '--verify=no_ocsp'). > > So, now I can see in debug logs that sssd finds my smartcard certificate > but now it fails trying to verify it against the provider (AD). So what are > the requirements for this to work on 7.4? This page: > > http://rhelblog.redhat.com/2017/09/26/smart-card-support- > in-red-hat-enterprise-linux/ > > implies that it is not longer necessary to store the entire certificate > for the user in AD. It instead mentions a 'special attribute' but there is > no detailed information about it there. Is there any more documentation > about this? > > Thanks, > Adam > > > 2017-10-19 11:19 GMT+02:00 Sumit Bose : > >> On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote: >> > I'm trying to get smartcard auth working with sssd on RHEL 7.4. We >> > currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify >> this >> > by using sssd instead. Unfortunately I cant get it to work, sssd does >> not >> > seem to detect my smartcard certificate. >> > >> > Running p11_child I get the following: >> > >> > $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 >> > --nssdb=/etc/pki/nssdb --pin >> > (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320 [main] >> > (0x0400): p11_child started. >> > (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320 [main] >> > (0x2000): Running in [pre-auth] mode. >> > (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320 [main] >> > (0x2000): Running with effective IDs: [0][0]. >> > (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320 [main] >> > (0x2000): Running with real IDs [0][0]. >> > (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): Default Module List: >> > (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): common name: [NSS Internal PKCS #11 Module]. >> > (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): dll name: [(null)]. >> > (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): common name: [p11-kit-trust]. >> > (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so]. >> > (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): common name: [OpenSC PKCS #11 Module]. >> > (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so]. >> > (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): Dead Module List: >> > (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): DB Module List: >> > (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): common name: [NSS Internal Module]. >> > (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): dll name: [(null)]. >> > (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): common name: [Policy File]. >> > (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): dll name: [(null)]. >> > (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): Description [NSS User Private Key and Certificate Services >> >Mozilla Foundation ] Manufacturer [Mozilla >> > Foundation ] flags [1]. >> > (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): Description [NSS Internal Cryptographic Services >> >Mozilla Foundation ] Manufacturer [Mozilla >> > Foundation ] flags [1]. >> > (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): Description [/usr/share/pki/ca-trust-source >> > PKCS#11 Kit ] Manufacturer [PKCS#11 Kit >> > ] flags [1]. >> > (Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): Description [/etc/pki/ca-trust/source >> > PKCS#11 Kit ] Manufacturer [PKCS#11 Kit >> > ] flags [1]. >> > (Thu Oct 19 10:43:20:772245 2017) [[sssd[p11_child[6320 [do_work] >> > (0x4000): Description [Alcor Micro AU9540 00 00 >> > Generic ] Manufacturer [Generic >> > ] flags [7]. >> > (Thu Oct 19 10:43:20:772290 2017) [[sssd[p11_child[6320 [do_work]
[SSSD-users] Re: p11_child showing certificate on smart card not valid
Thanks a bunch, disabling oscp verification works (and to test with p11_child you can set the parameter '--verify=no_ocsp'). So, now I can see in debug logs that sssd finds my smartcard certificate but now it fails trying to verify it against the provider (AD). So what are the requirements for this to work on 7.4? This page: http://rhelblog.redhat.com/2017/09/26/smart-card-support-in-red-hat-enterprise-linux/ implies that it is not longer necessary to store the entire certificate for the user in AD. It instead mentions a 'special attribute' but there is no detailed information about it there. Is there any more documentation about this? Thanks, Adam 2017-10-19 11:19 GMT+02:00 Sumit Bose: > On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote: > > I'm trying to get smartcard auth working with sssd on RHEL 7.4. We > > currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify > this > > by using sssd instead. Unfortunately I cant get it to work, sssd does not > > seem to detect my smartcard certificate. > > > > Running p11_child I get the following: > > > > $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 > > --nssdb=/etc/pki/nssdb --pin > > (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320 [main] > > (0x0400): p11_child started. > > (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320 [main] > > (0x2000): Running in [pre-auth] mode. > > (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320 [main] > > (0x2000): Running with effective IDs: [0][0]. > > (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320 [main] > > (0x2000): Running with real IDs [0][0]. > > (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): Default Module List: > > (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): common name: [NSS Internal PKCS #11 Module]. > > (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): dll name: [(null)]. > > (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): common name: [p11-kit-trust]. > > (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so]. > > (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): common name: [OpenSC PKCS #11 Module]. > > (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so]. > > (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): Dead Module List: > > (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): DB Module List: > > (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): common name: [NSS Internal Module]. > > (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): dll name: [(null)]. > > (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): common name: [Policy File]. > > (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): dll name: [(null)]. > > (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): Description [NSS User Private Key and Certificate Services > >Mozilla Foundation ] Manufacturer [Mozilla > > Foundation ] flags [1]. > > (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): Description [NSS Internal Cryptographic Services > >Mozilla Foundation ] Manufacturer [Mozilla > > Foundation ] flags [1]. > > (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): Description [/usr/share/pki/ca-trust-source > > PKCS#11 Kit ] Manufacturer [PKCS#11 Kit > > ] flags [1]. > > (Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): Description [/etc/pki/ca-trust/source > > PKCS#11 Kit ] Manufacturer [PKCS#11 Kit > > ] flags [1]. > > (Thu Oct 19 10:43:20:772245 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): Description [Alcor Micro AU9540 00 00 > > Generic ] Manufacturer [Generic > > ] flags [7]. > > (Thu Oct 19 10:43:20:772290 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): Found [identification (Instant EID IP9)] in slot [Alcor Micro > > AU9540 00 00][0] of module [3][/usr/lib64/pkcs11/opensc-pkcs11.so]. > > (Thu Oct 19 10:43:20:772320 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): Token is NOT friendly. > > (Thu Oct 19 10:43:20:772346 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): Trying to switch to friendly to read certificate. > > (Thu Oct 19 10:43:20:772372 2017) [[sssd[p11_child[6320 [do_work] > > (0x4000): Login required. > > (Thu
[SSSD-users] Re: p11_child showing certificate on smart card not valid
On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote: > I'm trying to get smartcard auth working with sssd on RHEL 7.4. We > currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify this > by using sssd instead. Unfortunately I cant get it to work, sssd does not > seem to detect my smartcard certificate. > > Running p11_child I get the following: > > $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 > --nssdb=/etc/pki/nssdb --pin > (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320 [main] > (0x0400): p11_child started. > (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320 [main] > (0x2000): Running in [pre-auth] mode. > (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320 [main] > (0x2000): Running with effective IDs: [0][0]. > (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320 [main] > (0x2000): Running with real IDs [0][0]. > (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): Default Module List: > (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): common name: [NSS Internal PKCS #11 Module]. > (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): dll name: [(null)]. > (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): common name: [p11-kit-trust]. > (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so]. > (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): common name: [OpenSC PKCS #11 Module]. > (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so]. > (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): Dead Module List: > (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): DB Module List: > (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): common name: [NSS Internal Module]. > (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): dll name: [(null)]. > (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): common name: [Policy File]. > (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): dll name: [(null)]. > (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): Description [NSS User Private Key and Certificate Services >Mozilla Foundation ] Manufacturer [Mozilla > Foundation ] flags [1]. > (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): Description [NSS Internal Cryptographic Services >Mozilla Foundation ] Manufacturer [Mozilla > Foundation ] flags [1]. > (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): Description [/usr/share/pki/ca-trust-source > PKCS#11 Kit ] Manufacturer [PKCS#11 Kit > ] flags [1]. > (Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): Description [/etc/pki/ca-trust/source > PKCS#11 Kit ] Manufacturer [PKCS#11 Kit > ] flags [1]. > (Thu Oct 19 10:43:20:772245 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): Description [Alcor Micro AU9540 00 00 > Generic ] Manufacturer [Generic > ] flags [7]. > (Thu Oct 19 10:43:20:772290 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): Found [identification (Instant EID IP9)] in slot [Alcor Micro > AU9540 00 00][0] of module [3][/usr/lib64/pkcs11/opensc-pkcs11.so]. > (Thu Oct 19 10:43:20:772320 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): Token is NOT friendly. > (Thu Oct 19 10:43:20:772346 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): Trying to switch to friendly to read certificate. > (Thu Oct 19 10:43:20:772372 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): Login required. > (Thu Oct 19 10:43:20:772397 2017) [[sssd[p11_child[6320 [do_work] > (0x0020): Login required but no pin available, continue. > (Thu Oct 19 10:43:20:773994 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): found cert[identification (Instant EID > IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] > (Thu Oct 19 10:43:20:774071 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): Filtered certificates: > (Thu Oct 19 10:43:20:774167 2017) [[sssd[p11_child[6320 [do_work] > (0x4000): found cert[identification (Instant EID > IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] > (Thu Oct 19 10:43:20:804677 2017) [[sssd[p11_child[6320 [do_work] > (0x0040): Certificate [identification (Instant EID > IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] not valid [-8062], > skipping. > (Thu Oct 19 10:43:20:804857 2017) [[sssd[p11_child[6320