On Fri, Aug 10, 2018, at 10:38 AM, James Ralston wrote: > Is anyone using sssd to perform smartcard authentication directly > against Microsoft Active Directory, without using IPA? If so, what > did you have to do in order to get it working? >
We had to add each user's Smart Card certificate to the "User Certificate" attribute in Active Directory. We were not able to make the association only based on trusting the X.509 certificate like Windows does. > In our AD domain, the userPrincipalName attribute contains the address > of what I assume is the CN of the smartcard that corresponds to that > user. I don't see any other attributes set in AD that look like > they're related to smartcard authentication (i.e., no certificates), > so everything must drive from the userPrincipalName attribute. (We > use a one-smartcard-per-account model, so we have no > altSecurityIdentities attributes.) > Our Smart Cards had a userPrincipalName attribute that matched the identically-named attribute in Active Directory. > Our Windows guys don't know for certain, but I believe that the > smartcard authentication employs PKINIT. (I don't see how else it > would work, honestly.) > SSSD will use pkinit if krb5-pkinit is installed, or just verify the card locally otherwise. > Pretty much the only sssd configuration options I see related to > smartcard authentication are pam_cert_auth and pam_cert_db_path. > > Is it really the case that all I have to do is set pam_cert_auth to > "true" and smartcard logins will just magically work, because sssd > will look at the userPrincipalName attribute in AD and just Do The > Right Thing? > Not quite. > I mean, it can't be that easy, can it? :-P > > Thanks in advance for any advice or tips. We had to get a hotfix of krb5-pkinit from Red Hat to get a TGT from the card. V/r, James Cassell > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected]/message/T7PUHKUB2ZBIRX7VNXO5LLE7KGOUBSHX/ _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/UWTURDTU5UXKRTCA7E4FUU3BWLVTMPWW/
