On Thu, Aug 15, 2019, at 4:20 AM, Sumit Bose wrote: > On Tue, Aug 13, 2019 at 02:05:06PM -0400, James Cassell wrote: > > Good afternoon, > > > > I'm working on a migration from Centrify to SSSD with Active Directory. > > Everything works quite well except for one item. Centrify has a feature to > > request a certificate from the AD CA that is automatically granted, given > > the AD credentials. This is used for wired 802.1x authentication, among > > other things. > > > > Is there a way to get an AD cert via SSSD or related tools such as adcli? > > (Centrify calls this command 'adcert'.) > > Hi, > > it looks like AD CS with NDES can support SCEP > (https://tools.ietf.org/html/draft-gutmann-scep-14). Please see > https://blogs.technet.microsoft.com/jeffbutte/2016/12/16/236/ for > details. >
Thanks for the links! I did take a look at those. It looks like certmonger even supports the same scep protocol, but it seems that it requires a one-time PIN to register, which is an out-of-band manual process as far as I can tell. Red Hat even has some docs on it: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/certmonger-scep Seems like it would be convenient to have the one-time challengePassword (as it's called in the spec) be (derived from) an appropriate kerberos service ticket, (but that's just conjecture.) Somehow, this "just works" on Windows hosts with the auto-enrollment AD policy (as also with Centrify on Linux), but I don't know how; it could be (a variation on) scep for all I know. Thanks for taking a look! V/r, James Cassell > HTH > > bye, > Sumit > > > > > Thanks in advance! > > > > > > V/r, > > James Cassell _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
