Got smartcard auth working once I added my smart card cert to my user account in AD. So thats good! Kerberos/pkinit seems to work also (I already had that setup to work with pam_krb5 before), also good!
But is adding the smartcard cert to AD accounts the 'correct' way to go about this or is there something new and better/easier, as the blog post hinted about? //Adam 2017-10-19 13:17 GMT+02:00 Winberg, Adam <[email protected]>: > I've been debugging the OCSP issue as well and we can see that the OCSP > server responds to the request. This response is signed by a cert which is > issued by our CA, and that cert is indeed in my nssdb. So should this not > work? Do I have to have the actual OCSP server cert in nssdb, does > certificate chaining not work here? > > Regards > Adam > > 2017-10-19 12:39 GMT+02:00 Winberg, Adam <[email protected]>: > >> Thanks a bunch, disabling oscp verification works (and to test with >> p11_child you can set the parameter '--verify=no_ocsp'). >> >> So, now I can see in debug logs that sssd finds my smartcard certificate >> but now it fails trying to verify it against the provider (AD). So what are >> the requirements for this to work on 7.4? This page: >> >> http://rhelblog.redhat.com/2017/09/26/smart-card-support-in- >> red-hat-enterprise-linux/ >> >> implies that it is not longer necessary to store the entire certificate >> for the user in AD. It instead mentions a 'special attribute' but there is >> no detailed information about it there. Is there any more documentation >> about this? >> >> Thanks, >> Adam >> >> >> 2017-10-19 11:19 GMT+02:00 Sumit Bose <[email protected]>: >> >>> On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote: >>> > I'm trying to get smartcard auth working with sssd on RHEL 7.4. We >>> > currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify >>> this >>> > by using sssd instead. Unfortunately I cant get it to work, sssd does >>> not >>> > seem to detect my smartcard certificate. >>> > >>> > Running p11_child I get the following: >>> > >>> > $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 >>> > --nssdb=/etc/pki/nssdb --pin >>> > (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320]]]] [main] >>> > (0x0400): p11_child started. >>> > (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320]]]] [main] >>> > (0x2000): Running in [pre-auth] mode. >>> > (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320]]]] [main] >>> > (0x2000): Running with effective IDs: [0][0]. >>> > (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320]]]] [main] >>> > (0x2000): Running with real IDs [0][0]. >>> > (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): Default Module List: >>> > (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): common name: [NSS Internal PKCS #11 Module]. >>> > (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): dll name: [(null)]. >>> > (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): common name: [p11-kit-trust]. >>> > (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so]. >>> > (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): common name: [OpenSC PKCS #11 Module]. >>> > (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so]. >>> > (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): Dead Module List: >>> > (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): DB Module List: >>> > (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): common name: [NSS Internal Module]. >>> > (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): dll name: [(null)]. >>> > (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): common name: [Policy File]. >>> > (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): dll name: [(null)]. >>> > (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): Description [NSS User Private Key and Certificate Services >>> > Mozilla Foundation ] Manufacturer [Mozilla >>> > Foundation ] flags [1]. >>> > (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): Description [NSS Internal Cryptographic Services >>> > Mozilla Foundation ] Manufacturer [Mozilla >>> > Foundation ] flags [1]. >>> > (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): Description [/usr/share/pki/ca-trust-source >>> > PKCS#11 Kit ] Manufacturer [PKCS#11 >>> Kit >>> > ] flags [1]. >>> > (Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): Description [/etc/pki/ca-trust/source >>> > PKCS#11 Kit ] Manufacturer [PKCS#11 >>> Kit >>> > ] flags [1]. >>> > (Thu Oct 19 10:43:20:772245 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): Description [Alcor Micro AU9540 00 00 >>> > Generic ] Manufacturer [Generic >>> > ] flags [7]. >>> > (Thu Oct 19 10:43:20:772290 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): Found [identification (Instant EID IP9)] in slot [Alcor Micro >>> > AU9540 00 00][0] of module [3][/usr/lib64/pkcs11/opensc-pkcs11.so]. >>> > (Thu Oct 19 10:43:20:772320 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): Token is NOT friendly. >>> > (Thu Oct 19 10:43:20:772346 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): Trying to switch to friendly to read certificate. >>> > (Thu Oct 19 10:43:20:772372 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): Login required. >>> > (Thu Oct 19 10:43:20:772397 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x0020): Login required but no pin available, continue. >>> > (Thu Oct 19 10:43:20:773994 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): found cert[identification (Instant EID >>> > IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] >>> > (Thu Oct 19 10:43:20:774071 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): Filtered certificates: >>> > (Thu Oct 19 10:43:20:774167 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): found cert[identification (Instant EID >>> > IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] >>> > (Thu Oct 19 10:43:20:804677 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x0040): Certificate [identification (Instant EID >>> > IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] not valid >>> [-8062], >>> > skipping. >>> > (Thu Oct 19 10:43:20:804857 2017) [[sssd[p11_child[6320]]]] [do_work] >>> > (0x4000): No certificate found. >>> > >>> > >>> > What does the error code '-8062' mean? >>> >>> "The signer of the OCSP response is not authorized to give status for >>> this certificate." >>> >>> Please see e.g. >>> https://www-archive.mozilla.org/projects/security/pki/nss/re >>> f/ssl/sslerr.html >>> for other error codes as well. I will add a text output to the error >>> code in one of the upcoming versions. >>> >>> It looks like the certificate of the OCSP responder cannot be validated. >>> Please add the related CA certificates to /etc/pki/nssdb. As an >>> alternative if you do not want to use OCSP you can disable it by setting >>> >>> certificate_verification = no_ocsp >>> >>> in the [sssd] section of sssd.conf (see man sssd.conf for details) >>> >>> HTH >>> >>> bye, >>> Sumit >>> > >>> > Regards, >>> > Adam >>> >>> > _______________________________________________ >>> > sssd-users mailing list -- [email protected] >>> > To unsubscribe send an email to [email protected] >>> osted.org >>> _______________________________________________ >>> sssd-users mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> >> >> >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
