On Sat, Mar 05, 2016 at 10:25:47AM -0600, Kenneth Schwartz wrote: > I hope somebody can answer this for me and clarify questions I have about this > process. If this is not the right place to ask the question please tell me > where I might be able to get answers to my questions. > > I want a Linux machine to become a user of the active directory Does > SSD configure > you to be part of the Windows domain or is it only using a small part such > as list, positions of things, resource sharing, etc. Or is it a full-fledged > Windows user? I want to know about the process of enrolling the CAC with > the PKI/widows domain/active directory. When you log in with the > smartcard/CAC, when and how does enrollment occur? I think enrollment could > be one of two things: You could use the certificates/identifier number > from the CAC to enroll and be in active directory/PKI. What is the enrollment > PKI? I want to understand the associations between the CAC, Windows, and > what information is stored. I don't think it's the cerificate but just > the number. Once you've logged into the machine does in use certificates > from the CAC and how does the information get there. How do you associate > the CAC with the windows user from active directory? How do you connect > using your key? Once you're on a machine and you need to log in to a Linux > machine that's a member and you want to prove who you are > from a machine that has become part of active directory how do you know? Does > Linux associate the CAC the same way that Windows does? For SSH? kinit > involvement? > Does the SSS module or pam module handle session tickets or does it only > give you your only initial ticket granting ticket?
Please have a look at https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTestingWithAD Here I showed what is needed to to use SSSD based Smartcard authentication with Active Directory. Since you are interested in CAC card, i.e. you already have the certificates signed by an external CA, the https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTestingWithAD#CertificatefromanexternalCA section might be most interesting for you. As you can see from the page the current version of SSS tries to find the whole certificate in the AD user entry. To associate a certificate with a AD user you have to add the certificate to the user entry e.g. with ldapmodify as shown on the page. In future versions of SSSD we plan to add mapping rules which will make it possible to connect the AD user and the certificate in different ways. Nevertheless for the CAC case it might be always needed to add some data to the AD user entry because afaik the CAC certificates are generated externally and by default have on data which might help to identify the user hence the needed data has to be added to AD. HTH bye, Sumit > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
