ok, that makes sense - i do indeed have a pkinit_cert_match in krb5.conf. Any chance for a fix for this for rhel8 GA? I will try to investigate if we can write our smartcard certs differently, so they have different ID's, but I don't know what support there is for that in our card provisioning solution.
//Adam Den ons 13 feb. 2019 kl 13:23 skrev Sumit Bose <[email protected]>: > On Wed, Feb 13, 2019 at 12:51:14PM +0100, Winberg, Adam wrote: > > I did not have the 'certificate_verification' parameter set at all > before, > > and then online authentication works for me. > > > > This is debug logs from p11_child, online auth with ocsp: > > > > (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs] > > (0x4000): found > cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329] > > (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): > > Using OCSP URL [http://ocsp1.example.com/ocsp]. > > (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): > > Nonce in OCSP response is the same as the one used in the request. > > (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): > > OCSP check was successful. > > (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [read_certs] > > (0x4000): found > > cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm] > > (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): > > Using OCSP URL [http://ocsp1.example.com/ocsp]. > > (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): > > Nonce in OCSP response is the same as the one used in the request. > > (Wed Feb 13 09:04:24 2019) [[sssd[p11_child[12421]]]] [do_ocsp] (0x4000): > > OCSP check was successful. > > > > So it seems both certs validates, but login still works and the correct > > certificate is chosen. > > ah, sorry, I guess when online you are doing Kerberos PKINIT so > p11_child is never run in authentication mode were the 'More than one > certificate found for authentication, aborting!' error came from. In > this case I assume you have a 'pkinit_cert_match' rule in krb5.conf to > help libkrb5 to pick the right certificate since SSSD would only add the > ID to X509_user_identity which is not sufficient to select a specific > certificate. > > bye, > Sumit > > > > > //Adam > > > > > > > > > > Den ons 13 feb. 2019 kl 12:19 skrev Sumit Bose <[email protected]>: > > > > > On Wed, Feb 13, 2019 at 09:54:45AM +0100, Winberg, Adam wrote: > > > > You are correct, the OCSP was an issue. Disabling that I get a step > > > closer > > > > (where I actually get a pin prompt), but login does not work. > > > > > > > > sssd_pam.log shows: > > > > (Wed Feb 13 09:35:24 2019) [sssd[pam]] [pam_reply] (0x0040): Backend > > > cannot > > > > handle Smartcard authentication, trying local Smartcard > authentication. > > > > > > > > Which looks good, but p11_child.log shows: > > > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] > > > > (0x4000): found > > > cert[a001329][/DC=com/DC=example/DC=ad/OU=People/CN=a001329] > > > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [read_certs] > > > > (0x4000): found > > > > > cert[adwi.adm][/DC=com/DC=example/DC=ad/OU=People/OU=People2/CN=adwi.adm] > > > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] > (0x4000): > > > > /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so > > > > identification (Instant EID IP9) identification (Instant EID IP9) > > > > 709C1B7B80A241AE 709C1B7B80A241AE. > > > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] > (0x4000): > > > > /usr/lib64/pkcs11/opensc-pkcs11.so /usr/lib64/pkcs11/opensc-pkcs11.so > > > > identification (Instant EID IP9) identification (Instant EID IP9) > > > > 709C1B7B80A241AE 709C1B7B80A241AE. > > > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] > (0x4000): > > > > uri: > > > > > > > > pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=a001329;type=cert. > > > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] > (0x4000): > > > > uri: > > > > > > > > pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Alcor%20Micro%20AU9560%2000%2000;slot-manufacturer=Generic;slot-id=0;model=PKCS%2315;manufacturer=Gemalto;serial=2634357095419540;token=identification%20%28Instant%20EID%20IP9%29;id=%70%9c%1b%7b%80%a2%41%ae;object=adwi.adm;type=cert. > > > > (Wed Feb 13 09:35:25 2019) [[sssd[p11_child[17974]]]] [do_card] > (0x0010): > > > > More than one certificate found for authentication, aborting! > > > > > > > > And then sssd_pam.log shows: > > > > (Wed Feb 13 09:35:25 2019) [sssd[pam]] [parse_p11_child_response] > > > (0x1000): > > > > No certificate found. > > > > (Wed Feb 13 09:35:25 2019) [sssd[pam]] [pam_forwarder_cert_cb] > (0x0020): > > > No > > > > certificate returned, authentication failed. > > > > > > > > I have two certs on my card, but I have a 'matchrule' in sssd.conf so > > > SSSD > > > > only picks the correct one: > > > > matchrule = <SUBJECT>^CN=[ak].{6},OU=People,DC=ad,DC=example,DC=com$ > > > > > > > > This does not seem to work offline? Even so, should I not then get to > > > > choose which certificate to use in GDM? > > > > > > > > This bugzilla (created by me for RHEL7.6) might be relevant, since > borth > > > my > > > > certs have the same ID. > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1631410 > > > > > > Yes, you are right this is related. The certificate objects on the > > > Smartcard only differ in the label ('a001329', 'adwi.adm') but > currently > > > SSSD only use the ID for the selection. So I have to add the label for > > > the selection as well. > > > > > > But this would be the same for online authentication. So I wonder if > one > > > of the certificates is invalid according to OCSP or if you disabled > > > verification completely for the test? > > > > > > bye, > > > Sumit > > > > > > > > > > > Thank you! > > > > > > > > //Adam > > > > > > > > Den ons 13 feb. 2019 kl 09:05 skrev Sumit Bose <[email protected]>: > > > > > > > > > On Wed, Feb 13, 2019 at 08:17:39AM +0100, Winberg, Adam wrote: > > > > > > I'm having a hard time understanding how cert mapping is > supposed to > > > work > > > > > > offline. Currently I have the following certmap config (this is > on > > > > > > RHEL8-beta): > > > > > > > > > > > > [certmap/ad.example.com/smartcard] > > > > > > maprule = > > > > > > > > > > > > > > > (|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name})) > > > > > > > > > > > > to map the CN on the card to 'samAccountName' in AD. This works > as > > > long > > > > > as > > > > > > I'm online (access to AD), but when I go offline (disconnect > > > network) the > > > > > > maprule is not working. I thought that the mapping would then > use the > > > > > sssd > > > > > > cache but apparantly not - so how is smartcard login supposed to > work > > > > > > offline? > > > > > > > > > > The cached data should be used in the offline case. Do your > > > certificates > > > > > contain the OCSP extension? If this is present SSSD will use it by > > > > > default to validate the certificate which will fail if the system > is > > > > > offline. To disable OCSP you can set > > > > > > > > > > certificate_verification = no_ocsp > > > > > > > > > > in the [sssd] section of sssd.conf, see man sssd.conf for details. > > > > > > > > > > If that's not the case feel free to send my the SSSD logs ideally > with > > > > > debug_level=9. The most important ones for the offline case would > be > > > > > sssd_pam.log and p11_child.log. > > > > > > > > > > bye, > > > > > Sumit > > > > > > > > > > > > > > > > > Regards > > > > > > Adam > > > > > > > > > > > _______________________________________________ > > > > > > sssd-users mailing list -- [email protected] > > > > > > To unsubscribe send an email to > > > [email protected] > > > > > > Fedora Code of Conduct: > https://getfedora.org/code-of-conduct.html > > > > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > > List Archives: > > > > > > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > _______________________________________________ > > > > > sssd-users mailing list -- [email protected] > > > > > To unsubscribe send an email to > > > [email protected] > > > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > List Archives: > > > > > > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > > > > > > > > _______________________________________________ > > > > sssd-users mailing list -- [email protected] > > > > To unsubscribe send an email to > [email protected] > > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > _______________________________________________ > > > sssd-users mailing list -- [email protected] > > > To unsubscribe send an email to > [email protected] > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
