Got smartcard auth working once I added my smart card cert to my user
account in AD. So thats good! Kerberos/pkinit seems to work also (I already
had that setup to work with pam_krb5 before), also good!

But is adding the smartcard cert to AD accounts the 'correct' way to go
about this or is there something new and better/easier, as the blog post
hinted about?

//Adam

2017-10-19 13:17 GMT+02:00 Winberg, Adam <[email protected]>:

> I've been debugging the OCSP issue as well and we can see that the OCSP
> server responds to the request. This response is signed by a cert which is
> issued by our CA, and that cert is indeed in my nssdb. So should this not
> work? Do I have to have the actual OCSP server cert in nssdb, does
> certificate chaining not work here?
>
> Regards
> Adam
>
> 2017-10-19 12:39 GMT+02:00 Winberg, Adam <[email protected]>:
>
>> Thanks a bunch, disabling oscp verification works (and to test with
>> p11_child you can set the parameter '--verify=no_ocsp').
>>
>> So, now I can see in debug logs that sssd finds my smartcard certificate
>> but now it fails trying to verify it against the provider (AD). So what are
>> the requirements for this to work on 7.4? This page:
>>
>> http://rhelblog.redhat.com/2017/09/26/smart-card-support-in-
>> red-hat-enterprise-linux/
>>
>> implies that it is not longer necessary to store the entire certificate
>> for the user in AD. It instead mentions a 'special attribute' but there is
>> no detailed information about it there. Is there any more documentation
>> about this?
>>
>> Thanks,
>> Adam
>>
>>
>> 2017-10-19 11:19 GMT+02:00 Sumit Bose <[email protected]>:
>>
>>> On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote:
>>> > I'm trying to get smartcard auth working with sssd on RHEL 7.4. We
>>> > currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify
>>> this
>>> > by using sssd instead. Unfortunately I cant get it to work, sssd does
>>> not
>>> > seem to detect my smartcard certificate.
>>> >
>>> > Running p11_child I get the following:
>>> >
>>> > $ /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2
>>> > --nssdb=/etc/pki/nssdb --pin
>>> > (Thu Oct 19 10:43:19:786759 2017) [[sssd[p11_child[6320]]]] [main]
>>> > (0x0400): p11_child started.
>>> > (Thu Oct 19 10:43:19:786836 2017) [[sssd[p11_child[6320]]]] [main]
>>> > (0x2000): Running in [pre-auth] mode.
>>> > (Thu Oct 19 10:43:19:786849 2017) [[sssd[p11_child[6320]]]] [main]
>>> > (0x2000): Running with effective IDs: [0][0].
>>> > (Thu Oct 19 10:43:19:786859 2017) [[sssd[p11_child[6320]]]] [main]
>>> > (0x2000): Running with real IDs [0][0].
>>> > (Thu Oct 19 10:43:20:755639 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): Default Module List:
>>> > (Thu Oct 19 10:43:20:755722 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): common name: [NSS Internal PKCS #11 Module].
>>> > (Thu Oct 19 10:43:20:755753 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): dll name: [(null)].
>>> > (Thu Oct 19 10:43:20:755780 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): common name: [p11-kit-trust].
>>> > (Thu Oct 19 10:43:20:755864 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so].
>>> > (Thu Oct 19 10:43:20:755900 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): common name: [OpenSC PKCS #11 Module].
>>> > (Thu Oct 19 10:43:20:755958 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so].
>>> > (Thu Oct 19 10:43:20:755992 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): Dead Module List:
>>> > (Thu Oct 19 10:43:20:756025 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): DB Module List:
>>> > (Thu Oct 19 10:43:20:756057 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): common name: [NSS Internal Module].
>>> > (Thu Oct 19 10:43:20:756085 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): dll name: [(null)].
>>> > (Thu Oct 19 10:43:20:756112 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): common name: [Policy File].
>>> > (Thu Oct 19 10:43:20:756140 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): dll name: [(null)].
>>> > (Thu Oct 19 10:43:20:771873 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): Description [NSS User Private Key and Certificate Services
>>> >            Mozilla Foundation              ] Manufacturer [Mozilla
>>> > Foundation              ] flags [1].
>>> > (Thu Oct 19 10:43:20:771969 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): Description [NSS Internal Cryptographic Services
>>> >            Mozilla Foundation              ] Manufacturer [Mozilla
>>> > Foundation              ] flags [1].
>>> > (Thu Oct 19 10:43:20:772007 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): Description [/usr/share/pki/ca-trust-source
>>> >             PKCS#11 Kit                      ] Manufacturer [PKCS#11
>>> Kit
>>> >                   ] flags [1].
>>> > (Thu Oct 19 10:43:20:772037 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): Description [/etc/pki/ca-trust/source
>>> >             PKCS#11 Kit                      ] Manufacturer [PKCS#11
>>> Kit
>>> >                   ] flags [1].
>>> > (Thu Oct 19 10:43:20:772245 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): Description [Alcor Micro AU9540 00 00
>>> >             Generic                         ] Manufacturer [Generic
>>> >                  ] flags [7].
>>> > (Thu Oct 19 10:43:20:772290 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): Found [identification (Instant EID IP9)] in slot [Alcor Micro
>>> > AU9540 00 00][0] of module [3][/usr/lib64/pkcs11/opensc-pkcs11.so].
>>> > (Thu Oct 19 10:43:20:772320 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): Token is NOT friendly.
>>> > (Thu Oct 19 10:43:20:772346 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): Trying to switch to friendly to read certificate.
>>> > (Thu Oct 19 10:43:20:772372 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): Login required.
>>> > (Thu Oct 19 10:43:20:772397 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x0020): Login required but no pin available, continue.
>>> > (Thu Oct 19 10:43:20:773994 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): found cert[identification (Instant EID
>>> > IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com]
>>> > (Thu Oct 19 10:43:20:774071 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): Filtered certificates:
>>> > (Thu Oct 19 10:43:20:774167 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): found cert[identification (Instant EID
>>> > IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com]
>>> > (Thu Oct 19 10:43:20:804677 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x0040): Certificate [identification (Instant EID
>>> > IP9):user1][CN=user1,OU=People,DC=ad,DC=example,DC=com] not valid
>>> [-8062],
>>> > skipping.
>>> > (Thu Oct 19 10:43:20:804857 2017) [[sssd[p11_child[6320]]]] [do_work]
>>> > (0x4000): No certificate found.
>>> >
>>> >
>>> > What does the error code '-8062' mean?
>>>
>>> "The signer of the OCSP response is not authorized to give status for
>>> this certificate."
>>>
>>> Please see e.g.
>>> https://www-archive.mozilla.org/projects/security/pki/nss/re
>>> f/ssl/sslerr.html
>>> for other error codes as well. I will add a text output to the error
>>> code in one of the upcoming versions.
>>>
>>> It looks like the certificate of the OCSP responder cannot be validated.
>>> Please add the related CA certificates to /etc/pki/nssdb. As an
>>> alternative if you do not want to use OCSP you can disable it by setting
>>>
>>>     certificate_verification = no_ocsp
>>>
>>> in the [sssd] section of sssd.conf (see man sssd.conf for details)
>>>
>>> HTH
>>>
>>> bye,
>>> Sumit
>>> >
>>> > Regards,
>>> > Adam
>>>
>>> > _______________________________________________
>>> > sssd-users mailing list -- [email protected]
>>> > To unsubscribe send an email to [email protected]
>>> osted.org
>>> _______________________________________________
>>> sssd-users mailing list -- [email protected]
>>> To unsubscribe send an email to [email protected]
>>>
>>
>>
>
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to