On 11/28/18 11:29 PM, Sumit Bose wrote: > On Wed, Nov 28, 2018 at 04:57:17PM -0700, Orion Poplawski wrote: >> I configured a YubiKey on Windows using the YubiKey minidriver with the >> following certificates: >> >> - my "orion" certificate - went into slot 9a PIV Auth >> - A MacOS keychain cert per their docs - when into slot 9d Key Management >> - Another auth certificate for "orion-admin" - went into slot 82 >> >> I'm able to authenticate on Windows as either orion or orion-admin, but on >> Linux with sssd it does not see the orion-admin certificate. What needs to >> happen to support this? > > Which version of SSSD are you using?
sssd-1.16.2-13.el7_5 > Can you sent the output of > > p11tool --list-all --provider opensc-pkcs11.so > $ p11tool --list-all --provider /usr/lib64/opensc-pkcs11.so Object 0: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%01;object=PIV%20AUTH%20pubkey;type=public Type: Public key Label: PIV AUTH pubkey Flags: CKA_WRAP/UNWRAP; ID: 01 Object 1: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert Type: X.509 Certificate Label: Certificate for PIV Authentication ID: 01 Object 2: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%03;object=KEY%20MAN%20pubkey;type=public Type: Public key Label: KEY MAN pubkey ID: 03 Object 3: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%03;object=Certificate%20for%20Key%20Management;type=cert Type: X.509 Certificate Label: Certificate for Key Management ID: 03 Object 4: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Card%20Capability%20Container;type=data Type: Data Label: Card Capability Container ID: Object 5: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Card%20Holder%20Unique%20Identifier;type=data Type: Data Label: Card Holder Unique Identifier ID: Object 6: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Unsigned%20Card%20Holder%20Unique%20Identifier;type=data Type: Data Label: Unsigned Card Holder Unique Identifier ID: Object 7: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20PIV%20Authentication;type=data Type: Data Label: X.509 Certificate for PIV Authentication ID: Object 8: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20Digital%20Signature;type=data Type: Data Label: X.509 Certificate for Digital Signature ID: Object 9: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20Key%20Management;type=data Type: Data Label: X.509 Certificate for Key Management ID: Object 10: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20Card%20Authentication;type=data Type: Data Label: X.509 Certificate for Card Authentication ID: Object 11: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Security%20Object;type=data Type: Data Label: Security Object ID: Object 12: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Discovery%20Object;type=data Type: Data Label: Discovery Object ID: > and > > /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb > --pre $ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre (Thu Nov 29 13:31:29:125830 2018) [[sssd[p11_child[2569]]]] [main] (0x0400): p11_child started. (Thu Nov 29 13:31:29:126388 2018) [[sssd[p11_child[2569]]]] [main] (0x2000): Running in [pre-auth] mode. (Thu Nov 29 13:31:29:126426 2018) [[sssd[p11_child[2569]]]] [main] (0x2000): Running with effective IDs: [22603][22603]. (Thu Nov 29 13:31:29:126459 2018) [[sssd[p11_child[2569]]]] [main] (0x2000): Running with real IDs [22603][22603]. (Thu Nov 29 13:31:29:341356 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Default Module List: (Thu Nov 29 13:31:29:341396 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): common name: [NSS Internal PKCS #11 Module]. (Thu Nov 29 13:31:29:341415 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): dll name: [(null)]. (Thu Nov 29 13:31:29:341433 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): common name: [OpenSC]. (Thu Nov 29 13:31:29:341451 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): dll name: [/usr/lib64/opensc-pkcs11.so]. (Thu Nov 29 13:31:29:341468 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Dead Module List: (Thu Nov 29 13:31:29:341485 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): DB Module List: (Thu Nov 29 13:31:29:341503 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): common name: [NSS Internal Module]. (Thu Nov 29 13:31:29:341520 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): dll name: [(null)]. (Thu Nov 29 13:31:29:341537 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): common name: [Policy File]. (Thu Nov 29 13:31:29:341554 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): dll name: [(null)]. (Thu Nov 29 13:31:29:367703 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Description [NSS User Private Key and Certificate Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [1]. (Thu Nov 29 13:31:29:367790 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Description [NSS Internal Cryptographic Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [9]. (Thu Nov 29 13:31:29:368358 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Description [Yubico Yubikey 4 OTP+U2F+CCID 00 00 Yubico ] Manufacturer [Yubico ] flags [7]. (Thu Nov 29 13:31:29:368416 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Found [Orion Poplawski] in slot [Yubico Yubikey 4 OTP+U2F+CCID 00 00][0] of module [2][/usr/lib64/opensc-pkcs11.so]. (Thu Nov 29 13:31:29:368455 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Token is NOT friendly. (Thu Nov 29 13:31:29:368488 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Trying to switch to friendly to read certificate. (Thu Nov 29 13:31:29:368517 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Login required. (Thu Nov 29 13:31:29:368544 2018) [[sssd[p11_child[2569]]]] [do_card] (0x0020): Login required but no PIN available, continue. (Thu Nov 29 13:31:29:369245 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): found cert[Orion Poplawski:Certificate for PIV Authentication][CN=Orion Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com] (Thu Nov 29 13:31:29:369296 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): found cert[Orion Poplawski:Certificate for Key Management][CN=Orion Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com] (Thu Nov 29 13:31:29:369332 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Filtered certificates: (Thu Nov 29 13:31:29:369364 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): found cert[Orion Poplawski:Certificate for PIV Authentication][CN=Orion Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com] (Thu Nov 29 13:31:29:370948 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): (null) /usr/lib64/opensc-pkcs11.so (null) Orion Poplawski (null) (null). (Thu Nov 29 13:31:29:371002 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): found cert[Orion Poplawski:Certificate for Key Management][CN=Orion Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com] (Thu Nov 29 13:31:29:371049 2018) [[sssd[p11_child[2569]]]] [do_verification] (0x0040): Certificate [Orion Poplawski:Certificate for Key Management][CN=Orion Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com] not valid [-8102][Certificate key usage inadequate for attempted operation.]. (Thu Nov 29 13:31:29:371109 2018) [[sssd[p11_child[2569]]]] [do_card] (0x0040): Certificate [Orion Poplawski:Certificate for Key Management][CN=Orion Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com] not valid, skipping. (Thu Nov 29 13:31:29:430991 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Found certificate has key id [01]. Orion Poplawski /usr/lib64/opensc-pkcs11.so 01 Certificate for PIV Authentication MIIH5TCCBc2gAwIBAgITdgAAAczbsI5xA5LqwgAAAAABzDANBgkqhkiG9w0BAQ0FADBcMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEbndyYTESMBAGCgmSJomT8ixkARkWAmFkMRswGQYDVQQDExJhZC1BRC1TRUFUVExFMDEtQ0EwHhcNMTgxMTIxMTc1MjA4WhcNMjAxMTIxMTgwMjA4WjBoMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEbndyYTESMBAGCgmSJomT8ixkARkWAmFkMQ0wCwYDVQQLEwROV1JBMRgwFgYDVQQDEw9PcmlvbiBQb3BsYXdza2kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0rbm0RJlpt16T8hM4TJauyh+1pQZI6tzlMPMAvljpo52KNXof9zf5z21kn+fmWmESkuHi32Ddzx5u+QoOu7YngDa+Ek/vfMpoLCpc2ioyJTXyOSArj3PLllNzSRewm5LJYxhKYqz7PegfTR9m0+NpNYh6vOIm9rzLFmG5+MZJdkv8zwZoIYbcON+ZAZDczGxinTSU5qK/G8c20CdDJbNyu+YWnd2B0owhgXlq7faddG/aXEpIT3FDJtTcX0EjHLyh1Zr2IIZiMvRlRLdTl2Kq4ujNYJcYSiQGkAfXo5KEyC2iZh5k2m+7qyE7v82m+MXUdVtcFtuw4fTj1edSnOBvAgMBAAGjggOSMIIDjjA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiD5Jojg6WiQ4GNnRCBnuAagaqGBoEywalyhtXJewIBZAIBBTAfBgNVHSUEGDAWBgorBgEEAYI3FAICBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwKQYJKwYBBAGCNxUKBBwwGjAMBgorBgEEAYI3FAICMAoGCCsGAQUFBwMCMIGUBgkqhkiG9w0BCQ8EgYYwgYMwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglghkgBZQMEARYwCwYJYIZIAWUDBAEZMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwCgYIKoZIhvcNAwcwBwYFKw4DAgcwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgICADAdBgNVHQ4EFgQUrBhZaZYc5ALsWmG+76SqDPYr4cIwHwYDVR0jBBgwFoAUfNJMaZA8k520zkPFvv5Hfl4MDTkwggEgBgNVHR8EggEXMIIBEzCCAQ+gggELoIIBB4ZBaHR0cDovL0FELVNFQVRUTEUwMS5hZC5ud3JhLmNvbS9DZXJ0RW5yb2xsL2FkLUFELVNFQVRUTEUwMS1DQS5jcmyGgcFsZGFwOi8vL0NOPWFkLUFELVNFQVRUTEUwMS1DQSxDTj1BRC1TRUFUVExFMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YWQsREM9bndyYSxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHHBggrBgEFBQcBAQSBujCBtzCBtAYIKwYBBQUHMAKGgadsZGFwOi8vL0NOPWFkLUFELVNFQVRUTEUwMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZCxEQz1ud3JhLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAsBgNVHREEJTAjoCEGCisGAQQBgjcUAgOgEwwRb3Jpb25AYWQubndyYS5jb20wDQYJKoZIhvcNAQENBQADggIBAJLuzfAPsiBf9VLIbevGMYRDoG0IgArZVSpd9LtW8gGjvta6zPfq9WrGGzPu8fclNE8PHVeV8YnkJpLFyu4Z8PjUwZZrN4Jt//yTxuMMa2srE5VEtnqulb/Hmyh5PKBTeN2HdDnX5o85btZruAvazfv3N8gmlQWOrkPWWW83uQKoritnpA+20hkQc6P6ojt51ViYZQKMpp+nCbjBKZ8ybWL0zwIM9Hd0iHFp2ZhuuQz5UpzuVGPgI4zu8CyVo3gfP2N1e8dBHz/OGtNDU3sXHEMjSay1EP2A+eKYelRQq0Dh2fs78AUEaOMaimgX24d7gH6WiuPjgfUxLy4DP7qq/aFpjEeDJo0IplfY4RxGSUe63GivmGGOGXklcq6ZU8aycY2C8QJtLmfAD7SKhzxmwScb9MKM0U4naP25VzOheE6V6e2RN4pGA5h9PJyI5+/Pbf82FuLsq4mVOjmLcD7gzSdjkMbysoqz/gLbhytDJ4Eh8FTg3YncqXWb4r8gcRKBZXuoLCrGDliYaHsJFsbAsX7vJ0Tp1DnvX7wWGXWGDxHtPRetmtq+cauKeHIXmSI3R7zueMDL2Gt3089NBJh/Hp2qAWwShR3TuO2tffConFJS9LLX5SBlNA2Lkybxsh/FAbPjFbzC5oCeGO0g5zuaago7WEm4CuiLQtvfimO9GNKe And just for comparison: $ yubico-piv-tool -a status CHUID: 3019d4e739da739ced39ce739d836858210842108421384210c3f53410072180727c4b0c30d75c91b27c25efbd350832303330303130313e00fe00 CCC: f015a000000116ff022b6532e39b0c782d8ec7b26efca5f10121f20121f300f40100f50110f600f700fa00fb00fc00fd00fe00 Slot 9a: Algorithm: RSA2048 Subject DN: DC=com, DC=nwra, DC=ad, OU=NWRA, CN=Orion Poplawski Issuer DN: DC=com, DC=nwra, DC=ad, CN=ad-AD-SEATTLE01-CA Fingerprint: 5a73f59cc4e93ef40012aedf0268abd0cf8fd260fbb243563f56271edf9fc99f Not Before: Nov 21 17:52:08 2018 GMT Not After: Nov 21 18:02:08 2020 GMT Slot 9d: Algorithm: RSA2048 Subject DN: DC=com, DC=nwra, DC=ad, OU=NWRA, CN=Orion Poplawski Issuer DN: DC=com, DC=nwra, DC=ad, CN=ad-AD-SEATTLE01-CA Fingerprint: 9c6ae38156c501a4ef033dd54e509053dbf06640f6f6b5d5fcaeced20c815290 Not Before: Nov 21 17:52:39 2018 GMT Not After: Nov 21 18:02:39 2020 GMT Slot 82: Algorithm: RSA2048 Subject DN: DC=com, DC=nwra, DC=ad, OU=NWRA, OU=Admin-Accounts, CN=Orion Poplawski Issuer DN: DC=com, DC=nwra, DC=ad, CN=ad-AD-SEATTLE01-CA Fingerprint: 8565497be7c56c7595ee7389d7781b8830fe5f110917ee2b16227e831c164b00 Not Before: Nov 21 18:10:10 2018 GMT Not After: Nov 21 18:20:10 2020 GMT > > (in case you use a very recent OpenSSL build of SSSD please use > '--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem' or the place where your CA > certifcates are stored). > I'll try to run this on a Fedora system as well.... > bye, > Sumit > >> >> Thanks! >> >> -- >> Orion Poplawski >> Manager of NWRA Technical Systems 720-772-5637 >> NWRA, Boulder/CoRA Office FAX: 303-415-9702 >> 3380 Mitchell Lane or...@nwra.com >> Boulder, CO 80301 https://www.nwra.com/ >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org