On Thu, Apr 27, 2017 at 03:27:47PM -0000, [email protected] wrote:
> Thank you, EKU clientAuth was missing, including it got p11_child working.
>
> However still no luck with using the key with sssd and pkinit. kinit works
> fine with the key, but login (tty and lightdm) never asks for the pin.
> Instead it ask for a password two times and accepts the second as a local
> user-no-kerberos-login, when the key is plugged in, and only one time when
> the key is not plugged in, giving me a kerberos login with ticket.
You most probably have to tweak your PAM configuration. In Fedora some
thing like
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
is used. The pam_localuser line makes sure pam_unix (which can only ask
for a password) is only used for local user and pam_sss can prompt for
SSSD users.
Additionally you might need to call
touch /var/lib/sss/pubconf/pam_preauth_available
to enable an additional round-trip between pam_sss and SSSD to check
which authentication methods are available for the user so that pam_sss
can prompt accordingly. Since this round-trip adds some time to the
login process it is not activated by default.
HTH
bye,
Sumit
>
> I looked into the code and did some debugging and found that krb5_child
> signals SSS_CERT_AUTH_PROMPTING (code 12) to pam_sss, which it does not know
> how to handle. But I may be totally mistaken here. And anyway without clue.
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
