On Tue, Oct 29, 2019 at 12:21:45PM -0400, James Ralston wrote: > On Mon, Oct 28, 2019 at 3:21 AM Sumit Bose <[email protected]> wrote: > > > I'm sorry, currently there are some copy-and-paste errors in the > > examples of the sss-certmap man page. I'll try to fix them in one of > > the next releases. > > A related question, which I don't see answered in sss-certmap(5): if > sssd is performing smartcard authentication via krb5 PKINIT, how does > the krb5 pkinit_cert_match option interact with sssd's matching rules? > > krb5 pkinit.so requires that the pkinit_cert_match options produce one > (and only one) matching certificate from the certificates available on > the smartcard. Does that mean that sssd only sees a single > certificate (the one selected by pkinit.so via pkinit_cert_match > options), so sss-certmap(5) matching rules are superfluous when using > PKINIT? > > Or does sssd see all certificates on the smartcard, even when using > PKINIT, and thus sssd's sss-certmap(5) matching rules need to match > the same candidate certificate that krb5's pkinit_cert_match rules do? > > If the latter is true, what happens if krb5's pkinit_cert_match > options select a different certificate than the certificate > sss-certmap(5) selects via its matching rules? > > Also, what happens if a sss-certmap(5) matching rule matches more than > one certificate on the smartcard? For PKINIT, this is a fatal error. > Is it the same for sssd? Or if multiple certificates match, will sssd > apply the mapping rule against each certificate in turn, and prompt > the user which certificate/account combination they wish to login to?
Hi, SSSD only uses sss-certmap(5) rules. If there are multiple certificates on the Smartcard matching the rules, SSSD will prompt the user to select one so that in the end always a single certificate is used during authentication. When calling the pkinit plugin SSSD will use the certificate ID of the selected certificate from the Smartcard to make sure pkinit will use the same certificate that was selected by SSSD. So for plain SSSD usage it is not needed to add 'pkinit_cert_match' to krb5.conf because SSSD makes sure that only a single certificate is used for pkinit. If you set 'pkinit_cert_match' to make manual kinit work more easy you should make sure that 'pkinit_cert_match' does allow the certificates which SSSD will select with the sss-certmap(5) rules. Otherwise the certificate selected by SSSD will be filtered out by 'pkinit_cert_match' and the pkinit module will have no certificate which can be used for authentication. HTH bye, Sumit > > Again, if I can clarify my own understanding of the documentation, > I'll attempt to give you a pull request with cleanups/clarifications… > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
