You are correct, the OCSP was an issue. Disabling that I get a step closer
(where I actually get a pin prompt), but login does not work.
sssd_pam.log shows:
(Wed Feb 13 09:35:24 2019) [sssd[pam]] [pam_reply] (0x0040): Backend cannot
handle Smartcard authentication, trying local Smartcard authentication.
Which looks good, but p11_child.log shows:
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs]
(0x4000): found cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329]
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs]
(0x4000): found
cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm]
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000):
/usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so
identification (Instant EID IP9) identification (Instant EID IP9)
709C1B7B80A241AE 709C1B7B80A241AE.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000):
/usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so
identification (Instant EID IP9) identification (Instant EID IP9)
709C1B7B80A241AE 709C1B7B80A241AE.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000):
uri:
pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=a001329;type=cert.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x4000):
uri:
pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=adwi.adm;type=cert.
(Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] (0x0010):
More than one certificate found for authentication, aborting!
And then sssd_pam.log shows:
(Wed Feb 13 09:35:25 2019) [sssd[pam]] [parse_p11_child_response] (0x1000):
No certificate found.
(Wed Feb 13 09:35:25 2019) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020): No
certificate returned, authentication failed.
I have two certs on my card, but I have a 'matchrule' in sssd.conf so SSSD
only picks the correct one:
matchrule = <SUBJECT>^CN=[ak].{6},OU=People,DC=ad,DC=example,DC=com$
This does not seem to work offline? Even so, should I not then get to
choose which certificate to use in GDM?
This bugzilla (created by me for RHEL7.6) might be relevant, since borth my
certs have the same ID.
https://bugzilla.redhat.com/show_bug.cgi?id=1631410
Thank you!
//Adam
Den ons 13 feb. 2019 kl 09:05 skrev Sumit Bose <[email protected]>:
> On Wed, Feb 13, 2019 at 08:17:39AM +0100, Winberg, Adam wrote:
> > I'm having a hard time understanding how cert mapping is supposed to work
> > offline. Currently I have the following certmap config (this is on
> > RHEL8-beta):
> >
> > [certmap/ad.example.com/smartcard]
> > maprule =
> >
> (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))
> >
> > to map the CN on the card to 'samAccountName' in AD. This works as long
> as
> > I'm online (access to AD), but when I go offline (disconnect network) the
> > maprule is not working. I thought that the mapping would then use the
> sssd
> > cache but apparantly not - so how is smartcard login supposed to work
> > offline?
>
> The cached data should be used in the offline case. Do your certificates
> contain the OCSP extension? If this is present SSSD will use it by
> default to validate the certificate which will fail if the system is
> offline. To disable OCSP you can set
>
> certificate_verification = no_ocsp
>
> in the [sssd] section of sssd.conf, see man sssd.conf for details.
>
> If that's not the case feel free to send my the SSSD logs ideally with
> debug_level=9. The most important ones for the offline case would be
> sssd_pam.log and p11_child.log.
>
> bye,
> Sumit
>
> >
> > Regards
> > Adam
>
> > _______________________________________________
> > sssd-users mailing list -- [email protected]
> > To unsubscribe send an email to [email protected]
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
>
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
