Re: [Freeipa-users] FreeIPA smart card how to

2016-02-02 Thread Michael Rainey (Contractor) 
Okay.  I haven't been able to get around this issue. I can log using my 
username, my card is recognized by GDM and reads the card as expected, 
but I am unable to login using my smartcard.  From what I can see in the 
logs the common name on my card doesn't match the username on my test 
account.


Feb  2 13:00:05 cabildo gdm-smartcard]: pam_krb5[5152]: error resolving 
user name '' to uid/gid pair
Feb  2 13:00:05 cabildo gdm-smartcard]: pam_krb5[5152]: error getting 
information about '
Feb  2 13:00:06 cabildo gdm-smartcard]: pam_unix(gdm-smartcard:account): 
could not identify user (from getpwnam())
Feb  2 13:00:06 cabildo gdm-smartcard]: pam_sss(gdm-smartcard:account): 
Access denied for user : 10 (User not known to the 
underlying authentication module)
Feb  2 13:00:06 cabildo gdm-smartcard]: pam_krb5[5152]: error resolving 
user name '' to uid/gid pair
Feb  2 13:00:13 cabildo gdm-smartcard]: pam_pkcs11(gdm-smartcard:auth): 
pam_get_pwd() failed: Conversation error


Where do I go from here?

*Michael Rainey*
NRL 7320
Computer Support Group
Building 1009, Room C156
Stennis Space Center, MS 39529
On 02/02/2016 09:56 AM, Martin Kosek wrote:

On 02/02/2016 04:49 PM, Michael Rainey (Contractor) wrote:

Greetings FreeIPA Community,

I have been testing and working with the smart card login feature of the IPA
server, and have had some successes with this project. However, my latest
server/client setup isn't working as expected.  I can where the problem is
occurring, which is the Common Name on the Card is not being mapped to the
proper attribute on the IPA server. So here's my question: Is there a howto
which explains how an where this mapping occurs?  Is this something I can
configure myself, or is hard coded.

At the moment, the Smart Card support present in SSSD looks up the user by
searching with a blob containing the whole SC certificate. This BTW means that
the certificate needs to be present at user entry in FreeIPA to make sure it
matches, no other mapping mechanism is available yet. We have some plans though:

http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping

If you are interested in HOWTOs, Nathan Kinder put together pretty neat blog
posts how to make Smart Card authentication working:

http://www.freeipa.org/page/V4/User_Certificates#References

HTH,
Martin


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] FreeIPA smart card how to

2016-02-02 Thread Martin Kosek 
On 02/02/2016 04:49 PM, Michael Rainey (Contractor) wrote:
> Greetings FreeIPA Community,
> 
> I have been testing and working with the smart card login feature of the IPA
> server, and have had some successes with this project. However, my latest
> server/client setup isn't working as expected.  I can where the problem is
> occurring, which is the Common Name on the Card is not being mapped to the
> proper attribute on the IPA server. So here's my question: Is there a howto
> which explains how an where this mapping occurs?  Is this something I can
> configure myself, or is hard coded.

At the moment, the Smart Card support present in SSSD looks up the user by
searching with a blob containing the whole SC certificate. This BTW means that
the certificate needs to be present at user entry in FreeIPA to make sure it
matches, no other mapping mechanism is available yet. We have some plans though:

http://www.freeipa.org/page/V4/User_Certificates#Certificate_Identity_Mapping

If you are interested in HOWTOs, Nathan Kinder put together pretty neat blog
posts how to make Smart Card authentication working:

http://www.freeipa.org/page/V4/User_Certificates#References

HTH,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] FreeIPA smart card how to

2016-02-02 Thread Michael Rainey (Contractor) 

Greetings FreeIPA Community,

I have been testing and working with the smart card login feature of the 
IPA server, and have had some successes with this project. However, my 
latest server/client setup isn't working as expected.  I can where the 
problem is occurring, which is the Common Name on the Card is not being 
mapped to the proper attribute on the IPA server. So here's my question: 
Is there a howto which explains how an where this mapping occurs?  Is 
this something I can configure myself, or is hard coded.


Sincerely,
--
*Michael Rainey*
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project