[Freeipa-users] Re: Fails to start CA with Basic Auth (and/or SSL)
I've also reset nss trust flag, as per https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authenticated-with-given-ca-certificates/ and still getting " Insufficient access: Invalid credentials", from the previous post. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP
I’m following this because I’m having same issue. Since the OpenVPN client won’t prompt twice for the second factor I know you have to do the whole “password+otp” (without the +) but keep getting invalid password. -Kevin > On Nov 8, 2018, at 12:51 PM, Eric Fredrickson via FreeIPA-users > wrote: > > Hello everyone, > > I'm having an issue with OTP when logging into a vpn server that is a client > of FreeIPA. I can login with no issues when OTP is disabled. > > FreeIPA Setup: > CentOS 7.5 > FreeIPA 4.5.4 > > HBAC Service: openvpn > HBAC Rule: > [root@ipa ~]# ipa hbacrule-show openvpn_access > Rule name: openvpn_access > Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service. > Enabled: TRUE > Users: > Hosts: vpnhost.localdomain.local > Services: openvpn > > User account: > [root@ipa ~]# ipa user-show > User login: > First name: > Last name: > Home directory: /home/ > Login shell: /bin/bash > Principal name: > Principal alias: > Email address: > UID: 190963 > GID: 190963 > User authentication types: otp > Certificate: > Account disabled: False > Password: True > Member of groups: vpn_users > Member of HBAC rule: openvpn_access > Indirect Member of HBAC rule: user_ipa_access > Kerberos keys available: True > > OpenVPN server: > /etc/pam.d/openvpn > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > authrequired pam_env.so > authrequired pam_faildelay.so delay=200 > auth[default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= > 1000 quiet > auth[default=1 ignore=ignore success=ok] pam_localuser.so > authsufficientpam_unix.so nullok try_first_pass > authrequisite pam_succeed_if.so uid >= 1000 quiet_success > authsufficientpam_sss.so forward_pass > authrequired pam_deny.so > > account required pam_unix.so > account sufficientpam_localuser.so > account sufficientpam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > passwordrequisite pam_pwquality.so try_first_pass local_users_only > retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 > passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass > use_authtok > passwordsufficientpam_sss.so use_authtok > > > passwordrequired pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > server.conf > plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn > > > Any help would be greatly appreciated. Any other information that you may > need, please feel free to ask. I've read multiple threads, some have gotten > it to work without posting answers, some have not and has stated openvpn does > not support multiple prompts. > > Eric > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Abstracted NTP server configuration
Andrey Bychkov via FreeIPA-users wrote: > Hello! Can I fix my PR according with discussion? Just one final clarification. If I read the patch and page correctly the idea is that the packager chooses the default NTP package (if any). So if no NTP server package is installed them no server will be configured. If a user decides they want a different but supported NTP server they just have to install it and it will be available for configuration. Am I right? If so can you add this to the design page? With that you have my +1. thanks rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate
On Thu, 8 Nov 2018, 22:29 Fraser Tweedale > > On Thu, 8 Nov 2018, 01:41 Fraser Tweedale > > > > > > > Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'. > > > Do the 'userCertificate', 'description' and 'seeAlso' attributes > > > match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)? > > > > > > If not, update the entry to match the certificate. > > > I'm sorry Peter, I told you the wrong user entry. I should have > said uid=ipara, not uid=pkidbuser. I find that uid=ipara already has the expected description and certificate. -- Peter Oliver ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: smartcard yubikey opensc-pkcs11.so error
On Fri, Nov 9, 2018 at 2:18 PM Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Fri, Nov 09, 2018 at 01:05:19PM +0100, Natxo Asenjo via FreeIPA-users > wrote: > > hi Sumit, > > > > > > On Fri, Nov 9, 2018 at 12:53 PM Sumit Bose via FreeIPA-users < > > freeipa-users@lists.fedorahosted.org> wrote: > > > > > > > > I would suggest to first check if SSSD can see the certificate as well. > > > For this please call: > > > > > > /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 > --nssdb=/etc/pki/nssdb > > > --pre > > > > > > At the end you should see the base64 enoded certificate with some other > > > Smartcard details. If not the debug output might help to figure out why > > > the certificate was not found. > > > > > > > > ok, it does not see anything: > > $ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb > > --pre > > Ah, sorry, I forgot you use F29. On F29 SSSD does not use NSS anymore. > Please add your CA > certificates in PEM format to /etc/sssd/pki/sssd_auth_ca_db.pem and call > > /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 > --nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --pre > > again. Please check man sssd.conf and search for 'openssl' to see the > differences between the NSS and OpenSSL version. > > HTH > it did! Thanks, working perfectly now, awesome. -- regards, Natxo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: smartcard yubikey opensc-pkcs11.so error
On Fri, Nov 09, 2018 at 01:05:19PM +0100, Natxo Asenjo via FreeIPA-users wrote: > hi Sumit, > > > On Fri, Nov 9, 2018 at 12:53 PM Sumit Bose via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > > > I would suggest to first check if SSSD can see the certificate as well. > > For this please call: > > > > /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb > > --pre > > > > At the end you should see the base64 enoded certificate with some other > > Smartcard details. If not the debug output might help to figure out why > > the certificate was not found. > > > > ok, it does not see anything: > $ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb > --pre Ah, sorry, I forgot you use F29. On F29 SSSD does not use NSS anymore. Please add your CA certificates in PEM format to /etc/sssd/pki/sssd_auth_ca_db.pem and call /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --pre again. Please check man sssd.conf and search for 'openssl' to see the differences between the NSS and OpenSSL version. HTH bye, Sumit > (Fri Nov 9 12:58:37:924551 2018) [[sssd[p11_child[6490 [main] > (0x0400): p11_child started. > (Fri Nov 9 12:58:37:924597 2018) [[sssd[p11_child[6490 [main] > (0x2000): Running in [pre-auth] mode. > (Fri Nov 9 12:58:37:924612 2018) [[sssd[p11_child[6490 [main] > (0x2000): Running with effective IDs: [1000][1000]. > (Fri Nov 9 12:58:37:924624 2018) [[sssd[p11_child[6490 [main] > (0x2000): Running with real IDs [1000][1000]. > (Fri Nov 9 12:58:37:925728 2018) [[sssd[p11_child[6490 > [init_verification] (0x0040): X509_LOOKUP_load_file failed > [185090184][error:0B084088:x509 certificate > routines:X509_load_cert_crl_file:no certificate or crl found]. > (Fri Nov 9 12:58:37:925742 2018) [[sssd[p11_child[6490 [do_work] > (0x0040): init_verification failed. > (Fri Nov 9 12:58:37:925753 2018) [[sssd[p11_child[6490 [main] > (0x0040): do_work failed. > (Fri Nov 9 12:58:37:925762 2018) [[sssd[p11_child[6490 [main] > (0x0020): p11_child failed! > > but certutil sees it ok, after entering the pin: > $ certutil -L -d /etc/pki/nssdb/ -h user10 > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Enter Password or Pin for "user10": > user10:Certificate for PIV Authenticationu,u,u > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: smartcard yubikey opensc-pkcs11.so error
hi Sumit, On Fri, Nov 9, 2018 at 12:53 PM Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > I would suggest to first check if SSSD can see the certificate as well. > For this please call: > > /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb > --pre > > At the end you should see the base64 enoded certificate with some other > Smartcard details. If not the debug output might help to figure out why > the certificate was not found. ok, it does not see anything: $ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre (Fri Nov 9 12:58:37:924551 2018) [[sssd[p11_child[6490 [main] (0x0400): p11_child started. (Fri Nov 9 12:58:37:924597 2018) [[sssd[p11_child[6490 [main] (0x2000): Running in [pre-auth] mode. (Fri Nov 9 12:58:37:924612 2018) [[sssd[p11_child[6490 [main] (0x2000): Running with effective IDs: [1000][1000]. (Fri Nov 9 12:58:37:924624 2018) [[sssd[p11_child[6490 [main] (0x2000): Running with real IDs [1000][1000]. (Fri Nov 9 12:58:37:925728 2018) [[sssd[p11_child[6490 [init_verification] (0x0040): X509_LOOKUP_load_file failed [185090184][error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found]. (Fri Nov 9 12:58:37:925742 2018) [[sssd[p11_child[6490 [do_work] (0x0040): init_verification failed. (Fri Nov 9 12:58:37:925753 2018) [[sssd[p11_child[6490 [main] (0x0040): do_work failed. (Fri Nov 9 12:58:37:925762 2018) [[sssd[p11_child[6490 [main] (0x0020): p11_child failed! but certutil sees it ok, after entering the pin: $ certutil -L -d /etc/pki/nssdb/ -h user10 Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Enter Password or Pin for "user10": user10:Certificate for PIV Authenticationu,u,u ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: sftp file broswer causes 4 (System Error)
thanks Alexander. We don't have selinux enabled so good point from you. I will implement the solution you suggested soon and let you know. Thanks heaps Alfredo On Thu, Nov 8, 2018 at 9:05 PM Alexander Bokovoy wrote: > On to, 08 marras 2018, Alfredo De Luca via FreeIPA-users wrote: > >Hi alexander. Thanks for your info. > >Here are 2 logs. One is the pam.log and the other one is the domain.log at > >the time when we got the error below. > > > >Nov 8 17:09:06 sftp-test sshd[25100]: pam_sss(sshd:account): Access > denied > >for user nifi_sftp: 4 (System error) > > > >The user to search is nifi_sftp. > > > >Thanks heaps and let me know if you need more info > Do you have SELinux enabled? Disabled? > > From the looks of sssd_.log you have trouble with setting > SELinux for the user: > > Thu Nov 8 17:09:06 2018) [sssd[be[novalocal]]] [selinux_child_done] > (0x0020): selinux_child_parse_response failed: [22][Invalid argument] > > This means that most likely you have SELinux disabled completely yet > SSSD attempts to set up SELinux context and considers its failure a hard > fail. > > Setting > > selinux_provider = none > > in [domain/novalocal] section should help if you are not using SELinux. > > >Cheers > > > > > > > >On Wed, Nov 7, 2018 at 3:49 PM Alexander Bokovoy > >wrote: > > > >> On ke, 07 marras 2018, Alfredo De Luca via FreeIPA-users wrote: > >> >Hi all. I wonder who and how this is been resolved? > >> >I have centos 7 where an sftp server is running. Authentication is with > >> >freeIPA 4.5.4. > >> >all the users connect to the sftp server normally but when there are > >> >multiple connections randomly I got this error > >> > > >> >Nov 7 08:30:09 sftp sshd[23487]: pam_sss(sshd:account): Access denied > for > >> >user nifi_sftp: 4 (System error) > >> > > >> >Not sure why. The same user doesn't have any issue connecting manually > but > >> >when different connections from 3 nodes (running a open source sftp > client > >> >called NIFI from apache.org) I got that error. > >> >I have to say that I tried to reproduce with a script running multiple > >> >connections at the same time and I get the same errors. If I use > >> >controlmaster mechanism on ssh client I dont' get the error at all. > >> > > >> >Any idea? > >> Use sssd debugging to demonstrate why pam_sss is denying access. > >> https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html > >> > >> You'd need logs from the sssd_.log and sssd_pam.log related to > >> the time when there is an attempt to connect with NIFI. Use > >> debug_level=9 in domain and pam sections to show all logs and provide > >> them somewhere we can look up. > >> > >> -- > >> / Alexander Bokovoy > >> Sr. Principal Software Engineer > >> Security / Identity Management Engineering > >> Red Hat Limited, Finland > >> > > > > > >-- > >*Alfredo* > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > -- *Alfredo* ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Removal & clean up certificates from o=ipaca
Hello, I did request and certificate suppression test and restart IPA stack. It works! ldapdelete -x -D "cn=directory manager" -W "cn=87289,ou=ca,ou=requests,o=ipaca" ldapdelete -x -D "cn=directory manager" -W "cn=87273,ou=certificateRepository,ou=ca,o=ipaca" I am going to generate the list of request and certificate entries that are useless. Hereafter a little procedure: (cn (in ou=certificateRepository,ou=ca,o=ipaca) is equal to serialId decimal in x509 certificate) Backup IPA and save the ipaca tree (sudo ldapsearch -x -h localhost -D "cn=directory manager" -W -b o=ipaca > /var/lib/ipa/backup/all) Certificate tree purge (ou=certificateRepository,ou=ca,o=ipaca): 1. Identify entry that have to be excluded (non garbage certificate: used & expired certificates) - Get serial ID of certificate used: sudo openssl x509 -in xxx.crt -text -noout | grep "Seria\|Not\|Sub" 2. Get garbage certificate list (used & expired certificates are excluded): ldapsearch -x -D "cn=directory manager" -W -b "ou=certificateRepository,ou=ca,o=ipaca" '(&(subjectName~=)(!(cn=))(certStatus=VALID))' dn | grep "cn=" | sed -e "s/dn: //" -e "/\#/d" > cert_ Request tree purge (ou=ca,ou=requests,o=ipaca): 1. Identify entry that have to be excluded (non garbage certificate: used & expired certificates) - Get requestID of certificate used: sudo ldapsearch -x -D "cn=directory manager" -W -b "cn=,ou=certificateRepository,ou=ca,o=ipaca" '(subjectName~=)' "metaInfo" - Get requestID of certificate expired: sudo ldapsearch -x -D "cn=directory manager" -W -b "ou=certificateRepository,ou=ca,o=ipaca" '(&(subjectName~=)(!(certStatus=VALID)))' "metaInfo" 2. Get garbage certificate request list (used & expired certificates are excluded): sudo ldapsearch -x -D "cn=directory manager" -W -b "ou=ca,ou=requests,o=ipaca" '(&(extdata-req--005fsubject--005fname--002ecn=)(&(!(cn=))(!(cn=' dn | grep "cn=" | sed -e "s/dn: //" -e "/\#/d" > req_ Check that number of request and certificate entry to purge are equal: grep -c cn= cert_ grep -c cn= req_ (I hope this will help) Thank you for your response, - Original Message - From: "Fraser Tweedale" To: "freeipa-users" Cc: "David Goudet" Sent: Thursday, November 8, 2018 2:28:03 AM Subject: Re: [Freeipa-users] Removal & clean up certificates from o=ipaca On Wed, Nov 07, 2018 at 04:29:36PM +0100, David Goudet via FreeIPA-users wrote: > Hello all, > Hi David, > I have to clean up lot of useless certificate in dirsrv database. > Because of resubmit loop on Certmonger client, i have 99,9% of certificate in > dirsrv database that are useless and not obsolete (expiration in 2020) (it > represent ~85 000 certificates). > Did you already resolve the Certmonger resubmit loop? > These useless certificates produce some issues on FreeIPA: > - decrease FreeIPA performances on CLI and GUI > - increase the LDAP size > - increase size and time of FreeIPA backup > ... > > Is it possible to purge these certificates in dirsrv database and how? > Yes. You can remove them manually. > I found two branches in LDAP directory about these certificates: > > dn: cn=xxx,ou=ca,ou=requests,o=ipaca > dn: cn=yyy,ou=certificateRepository,ou=ca,o=ipaca > The certificateRepository contains the issued certificates, the ou=ca,ou=requests contains data about the certificate requests. Each certificateRepository entry contains a reference to the request that produced it. You'll have to manually work out which certs you don't want, delete its certificateRepository entry (cn is the serial number), and delete the corresponding request entry. > I can remove all requests and certificates entry from dirsrv > database but how it is supported by PKI manager Dogtag (CRL, > certificate generation, OCSP)? > CRLs and OCSP responses are generated using the data from the certificateRepository. Forgetting about non-expired certificates is not valid under X.509, but since you have an operational issue, just choose carefully which ones you keep and which ones you delete. Don't delete the entry for any certificates in active use, OR any non-expired but revoked certificate where you want it to appear in CRLs or want valid OCSP responses for that certificate. Also, whatever certificate has the highest serial number, do not delete it. When using sequential serial number (which is how Dogtag gets configured by FreeIPA) upon startup Dogtag looks for the highest serial number to work out what is the next serial number to use. So keep the cert with the highest serial number otherwise serial numbers will be re-used. Cheers, Fraser -- David GOUDET LYRA NETWORK IT Operations service Tel : +33 (0)5 32 09 09 74 | Poste : 574 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
[Freeipa-users] Re: smartcard yubikey opensc-pkcs11.so error
On Fri, Nov 09, 2018 at 10:56:31AM +0100, Natxo Asenjo via FreeIPA-users wrote: > On Fri, Nov 9, 2018 at 9:29 AM Sumit Bose via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-users > > wrote: > > > hi, > > > > > > trying to get smart card authentication using a yubikey. > > > > > > I follow the > > > > > > $ opensc-tool --list-readers > > > # Detected readers (pcsc) > > > Nr. Card Features Name > > > 0Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00 > > > > > > I managed to import a key and certificate (generated by openssl): > > > > > > $ yubico-piv-tool -a status -v > > > trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'. > > > Action 'status' does not need authentication. > > > Now processing for action 'status'. > > > CHUID:No data available > > > CCC:No data available > > > Slot 9a: > > > Algorithm:RSA2048 > > > Subject DN:O=UNIX.ASENJO.NL, CN=user50 > > > Issuer DN:O=UNIX.ASENJO.NL, CN=Certificate Authority > > > Fingerprint: > > > dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9 > > > Not Before:Nov 8 22:40:02 2018 GMT > > > Not After:Nov 8 22:40:02 2020 GMT > > > PIN tries left:3 > > > > > > And this user50 has this certificate in ipa. > > > > > > My trouble starts when running this step on the client: > > > > > > # modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile opensc-pkcs11.so > > > -force > > > ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11 > > > error." > > > > > > I have tried using full paths (/usr/lib64/opensc-pkcs11.so, > > > /usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors. > > > > > > So, basically, I'm stuck now :(, because without this piece opensc cannot > > > work apparently. > > > > > > This is a fedora 29 host, by the way. > > > > > > Any clues? > > > > Can you check with 'modutil -dbdir /etc/pki/nssdb -list' if > > p11-kit-proxy is installed? Iirc the idea with recent NSS setups is that > > p11-kit-proxy is added by default to the NSS databases and the PKCS#11 > > modules only register with p11-kit. > > > > > It definitely does: > 2. p11-kit-proxy > library name: p11-kit-proxy.so >uri: > pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1 > slots: 1 slot attached > status: loaded > > slot: Yubico Yubikey NEO OTP+U2F+CCID 00 00 > token: user50 > uri: > pkcs11:token=user50;manufacturer=piv_II;serial=;model=PKCS%2315%20emulated > > so what should I do to enable smartcard auth then? When I try logging in as > this user in gdm it never prompts me for a pin: > > I have > [pam] > pam_cert_auth = True > > in /etc/sssd/sssd.conf I would suggest to first check if SSSD can see the certificate as well. For this please call: /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre At the end you should see the base64 enoded certificate with some other Smartcard details. If not the debug output might help to figure out why the certificate was not found. bye, Sumit > > > -- > Groeten, > natxo > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: smartcard yubikey opensc-pkcs11.so error
On Fri, Nov 9, 2018 at 9:29 AM Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-users > wrote: > > hi, > > > > trying to get smart card authentication using a yubikey. > > > > I follow the > > > > $ opensc-tool --list-readers > > # Detected readers (pcsc) > > Nr. Card Features Name > > 0Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00 > > > > I managed to import a key and certificate (generated by openssl): > > > > $ yubico-piv-tool -a status -v > > trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'. > > Action 'status' does not need authentication. > > Now processing for action 'status'. > > CHUID:No data available > > CCC:No data available > > Slot 9a: > > Algorithm:RSA2048 > > Subject DN:O=UNIX.ASENJO.NL, CN=user50 > > Issuer DN:O=UNIX.ASENJO.NL, CN=Certificate Authority > > Fingerprint: > > dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9 > > Not Before:Nov 8 22:40:02 2018 GMT > > Not After:Nov 8 22:40:02 2020 GMT > > PIN tries left:3 > > > > And this user50 has this certificate in ipa. > > > > My trouble starts when running this step on the client: > > > > # modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile opensc-pkcs11.so > > -force > > ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11 > > error." > > > > I have tried using full paths (/usr/lib64/opensc-pkcs11.so, > > /usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors. > > > > So, basically, I'm stuck now :(, because without this piece opensc cannot > > work apparently. > > > > This is a fedora 29 host, by the way. > > > > Any clues? > > Can you check with 'modutil -dbdir /etc/pki/nssdb -list' if > p11-kit-proxy is installed? Iirc the idea with recent NSS setups is that > p11-kit-proxy is added by default to the NSS databases and the PKCS#11 > modules only register with p11-kit. > > It definitely does: 2. p11-kit-proxy library name: p11-kit-proxy.so uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1 slots: 1 slot attached status: loaded slot: Yubico Yubikey NEO OTP+U2F+CCID 00 00 token: user50 uri: pkcs11:token=user50;manufacturer=piv_II;serial=;model=PKCS%2315%20emulated so what should I do to enable smartcard auth then? When I try logging in as this user in gdm it never prompts me for a pin: I have [pam] pam_cert_auth = True in /etc/sssd/sssd.conf -- Groeten, natxo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Abstracted NTP server configuration
Hello! Can I fix my PR according with discussion? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
