Re: [Freeipa-users] RHEL 6.9 AD Smart Card login
On Tue, Apr 11, 2017 at 04:24:51PM +, spammewo...@cox.net wrote: > I made the changes in this Bugzilla report and its still failing. When I > click on Smartcard Authenication on the GDM login screen, I get the error > message "Authentication failure".It looks like this Bugzilla was for IDM > users using smart cards. I'm trying to use Active Directory Users and > smart cards. Using IdM or AD shouldn't make a difference here. Did you change /etc/pam.d/smartcart-auth according to comment #8 (similar changes are needed on RHEL7 as well)? Please send the full SSSD logs, especially sssd_pam.log, with debug_level=10 and /var/log/secure. Feel free to send them to me directly if you do not want to share them on the list. bye, Sumit > > Here is my error log from /var/log/sssd/p11_child.log > (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893 [main] (0x0400): > p11_child started. > (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893 [main] (0x2000): > Running in [pre-auth] mode. > (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893 [main] (0x2000): > Running with effective IDs: [0][0]. > (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893 [main] (0x2000): > Running with real IDs [0][0]. > (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893 > [parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling OCSP. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > Default Module List: > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > common name: [NSS Internal PKCS #11 Module]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > dll name: [(null)]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > common name: [CoolKey PKCS #11 Module]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > dll name: [libcoolkeypk11.so]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > Dead Module List: > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): DB > Module List: > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > common name: [NSS Internal Module]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > dll name: [(null)]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > common name: [Policy File]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > dll name: [(null)]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > Description [NSS User Private Key and Certificate Services Mozilla > Foundation ] Manufacturer [Mozilla Foundation ] flags [1]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > Description [NSS Internal Cryptographic Services Mozilla Foundation > ] Manufacturer [Mozilla Foundation ] flags [1]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > Description [SCM SCR 3310 00 00 Unknown ] > Manufacturer [Unknown ] flags [7]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > Found [SMITH.RYAN.123456] in slot [SCM SCR 3310 00 00][1] of module [2]. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > Token is NOT friendly. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > Trying to switch to friendly to read certificate. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > Login required. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x0020): > Login required but no pin available, continue. > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > found cert[SMITH.RYAN.123456:PIV ID > Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME] > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > found cert[SMITH.RYAN.123456:PIV Email Signature > Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME] > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > found cert[SMITH.RYAN.123456:PIV Email Encryption > Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME] > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > Filtered certificates: > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > found cert[SMITH.RYAN.123456:PIV ID > Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME] > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > found cert[SMITH.RYAN.123456:PIV Email Signature > Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME] > (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): > More than one certificate found, using just the first one. > > > On Fri, Apr 7, 2017 at 4:35 AM, Sumit Bose wrote: > > > On Thu, Apr 06, 2017 at 06:36:43PM +, spammewo...@cox.net wrote: > >
Re: [Freeipa-users] RHEL 6.9 AD Smart Card login
I made the changes in this Bugzilla report and its still failing. When I click on Smartcard Authenication on the GDM login screen, I get the error message "Authentication failure".It looks like this Bugzilla was for IDM users using smart cards. I'm trying to use Active Directory Users and smart cards. Here is my error log from /var/log/sssd/p11_child.log (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893 [main] (0x0400): p11_child started. (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893 [main] (0x2000): Running in [pre-auth] mode. (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893 [main] (0x2000): Running with effective IDs: [0][0]. (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893 [main] (0x2000): Running with real IDs [0][0]. (Tue Apr 11 11:24:45 2017) [[sssd[p11_child[14893 [parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling OCSP. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): Default Module List: (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): common name: [NSS Internal PKCS #11 Module]. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): dll name: [(null)]. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): common name: [CoolKey PKCS #11 Module]. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): dll name: [libcoolkeypk11.so]. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): Dead Module List: (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): DB Module List: (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): common name: [NSS Internal Module]. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): dll name: [(null)]. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): common name: [Policy File]. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): dll name: [(null)]. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): Description [NSS User Private Key and Certificate Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [1]. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): Description [NSS Internal Cryptographic Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [1]. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): Description [SCM SCR 3310 00 00 Unknown ] Manufacturer [Unknown ] flags [7]. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): Found [SMITH.RYAN.123456] in slot [SCM SCR 3310 00 00][1] of module [2]. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): Token is NOT friendly. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): Trying to switch to friendly to read certificate. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): Login required. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x0020): Login required but no pin available, continue. (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): found cert[SMITH.RYAN.123456:PIV ID Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME] (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): found cert[SMITH.RYAN.123456:PIV Email Signature Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME] (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): found cert[SMITH.RYAN.123456:PIV Email Encryption Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME] (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): Filtered certificates: (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): found cert[SMITH.RYAN.123456:PIV ID Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME] (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): found cert[SMITH.RYAN.123456:PIV Email Signature Certificate][CN=SMITH.RYAN.123456,OU=WORKER,OU=PKI,OU=HOME] (Tue Apr 11 11:24:46 2017) [[sssd[p11_child[14893 [do_work] (0x4000): More than one certificate found, using just the first one. On Fri, Apr 7, 2017 at 4:35 AM, Sumit Bose wrote: On Thu, Apr 06, 2017 at 06:36:43PM +, spammewo...@cox.net wrote: I have created a two way trust between my IDM server and Active Directory. I have been able to successful get RHEL 7.3 IDM server and RHEL 7.3 IDM clients to allow Active Directory login using CAC smart cards into Gnome. I'm using SSSD for the smart card login process instead of authconfig and pkcs11. I'm currently trying to get the same thing working for RHEL 6.9, but I have not been able to get it to work. The latest version of SSSD on RHEL 6.9 is 1.13.3 and from my understanding I need to have at least 1.14.0 for SS
Re: [Freeipa-users] RHEL 6.9 AD Smart Card login
On Thu, Apr 06, 2017 at 06:36:43PM +, spammewo...@cox.net wrote: > I have created a two way trust between my IDM server and Active Directory. > I have been able to successful get RHEL 7.3 IDM server and RHEL 7.3 IDM > clients to allow Active Directory login using CAC smart cards into Gnome. > I'm using SSSD for the smart card login process instead of authconfig and > pkcs11. I'm currently trying to get the same thing working for RHEL 6.9, > but I have not been able to get it to work. The latest version of SSSD on > RHEL 6.9 is 1.13.3 and from my understanding I need to have at least 1.14.0 > for SSSD to handle AD smart card logins.So, I have tried to configure The Smartcard authentication feature was backported to RHEL-6.9. Please note that the GDM Smartcard feature must be configured differently in RHEL6 then in RHEL7, details for RHEL-6.9 can e.g. found in https://bugzilla.redhat.com/show_bug.cgi?id=1300421#c13 HTH bye, Sumit > pam_pkcs11.conf file to use the pwent mapper to link the Common Name (CN) to > the Active Directory User account. I have created an User ID Override for > the AD user and added CN name from the Certificate on the smart card into > the GECOS field. I also have added all three certificates from the CAC > smart card into the User ID Override. > > When I try and log in, I get this error message in /var/log/secure: > Apr 6 13:21:57 site-lws05 pam: gdm-smartcard: > pam_pkcs11(gdm-smartcard:auth): pam_get_pwd() failed: Conversation error > Apr 6 13:22:17 site-lws05 pam: gdm-smartcard: > pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #1 > Apr 6 13:22:17 site-lws05 pam: gdm-smartcard: > pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #2 > Apr 6 13:22:17 site-lws05 pam: gdm-smartcard: > pam_pkcs11(gdm-smartcard:auth): no valid certificate which meets all > requirements found > > Here is the some details: > IDM Domain: idm.domain.local > Windows Domain: domain.local > RHEL 7.3 IDM Server: site-idm01.idm.domain.local > RHEL 6.9 IDM Client : site-lws05.idm.domain.local > > When I run the getent command on local accounts and IDM accounts I get user > details, but when I run the command on AD accounts it doesn't find them. > So, I'm wondering if that's why its not finding the CN name in the GECOS > field.I'm trying to avoid using the cn_map on the clients, because we > have a large amount of users and thats alot of extra work to manage that > file.That's why I wanted to use the pwent mapper. > Here is my SSSD config file from the RHEL 6.9 client: > [domain/idm.domain.local] > override_shell = /bin/bash > debug_level = 9 > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = idm.domain.local > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ipa_hostname = site-lws05.idm.domain.local > chpass_provider = ipa > ipa_server = _srv_, site-idm01.idm.domain.local > ldap_tls_cacert = /etc/ipa/ca.crt > [sssd] > debug_level = 9 > services = nss, sudo, pam, ssh, ifp > domains = idm.domain.local > certificate_verification = no_ocsp > ldap_user_certificate = userCertificate;binary > [nss] > debug_level = 9 > homedir_substring = /home > [pam] > debug_level = 9 > pam_cert_auth = True > [sudo] > debug_level = 9 > [autofs] > debug_level = 9 > [ssh] > debug_level = 9 > [pac] > debug_level = 9 > [ifp] > debug_level = 9 > > Here is my nssswitch file from the RHEL 6.9 client: > # /etc/nsswitch.conf > # > # An example Name Service Switch config file. This file should be > # sorted with the most-used services at the beginning. > # > # The entry '[NOTFOUND=return]' means that the search for an > # entry should stop if the search in the previous entry turned > # up nothing. Note that if the search failed due to some other reason > # (like no NIS server responding) then the search continues with the > # next entry. > # > # Valid entries include: > # > # nisplus Use NIS+ (NIS version 3) > # nis Use NIS (NIS version 2), also called YP > # dns Use DNS (Domain Name Service) > # files Use the local files > # db Use the local database (.db) files > # compat Use NIS on compat mode > # hesiod Use Hesiod for user lookups > # [NOTFOUND=return] Stop searching if not found so far > # > # To use db, put the "db" in front of "files" for entries you want to be > # looked up first in the databases > # > # Example: > #passwd:db files nisplus nis > #shadow:db files nisplus nis > #group: db files nisplus nis > passwd: files sss > shadow: files sss > group: files sss > #hosts: db files nisplus nis dns > hosts: files dns > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc:
[Freeipa-users] RHEL 6.9 AD Smart Card login
I have created a two way trust between my IDM server and Active Directory.I have been able to successful get RHEL 7.3 IDM server and RHEL 7.3 IDM clients to allow Active Directory login using CAC smart cards into Gnome. I'm using SSSD for the smart card login process instead of authconfig and pkcs11. I'm currently trying to get the same thing working for RHEL 6.9, but I have not been able to get it to work. The latest version of SSSD on RHEL 6.9 is 1.13.3 and from my understanding I need to have at least 1.14.0 for SSSD to handle AD smart card logins.So, I have tried to configure pam_pkcs11.conf file to use the pwent mapper to link the Common Name (CN) to the Active Directory User account. I have created an User ID Override for the AD user and added CN name from the Certificate on the smart card into the GECOS field. I also have added all three certificates from the CAC smart card into the User ID Override. When I try and log in, I get this error message in /var/log/secure: Apr 6 13:21:57 site-lws05 pam: gdm-smartcard: pam_pkcs11(gdm-smartcard:auth): pam_get_pwd() failed: Conversation error Apr 6 13:22:17 site-lws05 pam: gdm-smartcard: pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #1 Apr 6 13:22:17 site-lws05 pam: gdm-smartcard: pam_pkcs11(gdm-smartcard:auth): find_user() failed: on cert #2 Apr 6 13:22:17 site-lws05 pam: gdm-smartcard: pam_pkcs11(gdm-smartcard:auth): no valid certificate which meets all requirements found Here is the some details: IDM Domain: idm.domain.local Windows Domain: domain.local RHEL 7.3 IDM Server: site-idm01.idm.domain.local RHEL 6.9 IDM Client : site-lws05.idm.domain.local When I run the getent command on local accounts and IDM accounts I get user details, but when I run the command on AD accounts it doesn't find them. So, I'm wondering if that's why its not finding the CN name in the GECOS field.I'm trying to avoid using the cn_map on the clients, because we have a large amount of users and thats alot of extra work to manage that file.That's why I wanted to use the pwent mapper. Here is my SSSD config file from the RHEL 6.9 client: [domain/idm.domain.local] override_shell = /bin/bash debug_level = 9 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = idm.domain.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = site-lws05.idm.domain.local chpass_provider = ipa ipa_server = _srv_, site-idm01.idm.domain.local ldap_tls_cacert = /etc/ipa/ca.crt [sssd] debug_level = 9 services = nss, sudo, pam, ssh, ifp domains = idm.domain.local certificate_verification = no_ocsp ldap_user_certificate = userCertificate;binary [nss] debug_level = 9 homedir_substring = /home [pam] debug_level = 9 pam_cert_auth = True [sudo] debug_level = 9 [autofs] debug_level = 9 [ssh] debug_level = 9 [pac] debug_level = 9 [ifp] debug_level = 9 Here is my nssswitch file from the RHEL 6.9 client: # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd:db files nisplus nis #shadow:db files nisplus nis #group: db files nisplus nis passwd: files sss shadow: files sss group: files sss #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files sss netgroup: files sss publickey: nisplus automount: files sss aliases:files nisplus sudoers: files sss Here is my system-auth from the RHEL 6.9 client: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is