On Tue, Jun 06, 2017 at 03:22:28PM -0000, [email protected] wrote: > Eventually I've got a working setup with PKINIT, Smartcard and sssd 1.15.2 in > a Ubuntu/Unity-Environment. However, login fails, if both krb5 kdc and ldap > id provider are offline. Is offline mode for smartcard authentication vs > kerberos supposed to work at all in sssd or are there more requirements to be > met than those already mentioned here? > > Especially, are there any requirements on the subject dn in the certificate? > I am looking at an error message in the logs that is only there in offline > mode: > > sssd_pam.log:(Tue Jun 6 15:52:57 2017) [sssd[pam]] [pam_dom_forwarder] > (0x0400): User and certificate user do not match, continue with other > authentication methods. > > As for Kerberos the subject of the certificate has no meaning, the kerberos > principal name is encoded as an subject alternative name id-pki-san > extension. So we did not choose anything special for the subject name of the > certificates.
If offline SSSD would just check the certificate and the PIN on its own. To map the certificate to the user the full certificate is used because it should have been saved to the cache by a previous online authentication. The log message indicates that the certificate is not properly stored in the cache, at least searching the cache for the user and the certificate return different objects. Can you send the full sssd_pam.log file to see if there are more hints why one of the searches in the offline case does not find the right object? bye, Sumit > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
