revocation

Hristina Marosevic Fri, 06 Mar 2020 04:45:44 -0800

Hello, 

I added: "certificate_verification = no_ocsp, no_verification" in [sssd] part 
of the sssd configuration and I didn't add the CA certs because the 
certification validation is disabled, but I am getting the same error 
"certificate is not valid" in the sssd_ssh.log
SSSD version that I am using is (yum package version):
1.16.4-21.0.1.el7_7.1
Somewhere on the internet, I saw this in the [pam] part of the sssd 
configuration: "pam_cert_auth = True" - should I add this line in my config 
file?
and I found the following command for the p11_child log (by you):
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre --nssdb=/etc/pki/nssdb


The output on my machine was:
$ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre --nssdb=/etc/pki/nssdb
(Fri Mar  6 13:33:30:652007 2020) [[sssd[p11_child[8855]]]] [main] (0x0400): 
p11_child started.
(Fri Mar  6 13:33:30:652310 2020) [[sssd[p11_child[8855]]]] [main] (0x2000): 
Running in [pre-auth] mode.
(Fri Mar  6 13:33:30:652517 2020) [[sssd[p11_child[8855]]]] [main] (0x2000): 
Running with effective IDs: [0][0].
(Fri Mar  6 13:33:30:652758 2020) [[sssd[p11_child[8855]]]] [main] (0x2000): 
Running with real IDs [0][0].
(Fri Mar  6 13:33:30:710650 2020) [[sssd[p11_child[8855]]]] [do_card] (0x4000): 
Default Module List:
(Fri Mar  6 13:33:30:710904 2020) [[sssd[p11_child[8855]]]] [do_card] (0x4000): 
common name: [NSS Internal PKCS #11 Module].
(Fri Mar  6 13:33:30:711013 2020) [[sssd[p11_child[8855]]]] [do_card] (0x4000): 
dll name: [(null)].
(Fri Mar  6 13:33:30:711116 2020) [[sssd[p11_child[8855]]]] [do_card] (0x4000): 
Dead Module List:
(Fri Mar  6 13:33:30:711218 2020) [[sssd[p11_child[8855]]]] [do_card] (0x4000): 
DB Module List:
(Fri Mar  6 13:33:30:711320 2020) [[sssd[p11_child[8855]]]] [do_card] (0x4000): 
common name: [NSS Internal Module].
(Fri Mar  6 13:33:30:711434 2020) [[sssd[p11_child[8855]]]] [do_card] (0x4000): 
dll name: [(null)].
(Fri Mar  6 13:33:30:711564 2020) [[sssd[p11_child[8855]]]] [do_card] (0x4000): 
common name: [Policy File].
(Fri Mar  6 13:33:30:711768 2020) [[sssd[p11_child[8855]]]] [do_card] (0x4000): 
dll name: [(null)].
(Fri Mar  6 13:33:30:711890 2020) [[sssd[p11_child[8855]]]] [do_card] (0x4000): 
Description [NSS User Private Key and Certificate Services                   
Mozilla Foundation              ] Manufacturer [Mozilla Foundation              
] flags [1].
(Fri Mar  6 13:33:30:712016 2020) [[sssd[p11_child[8855]]]] [do_card] (0x4000): 
Description [NSS Internal Cryptographic Services                             
Mozilla Foundation                 ] Manufacturer [Mozilla Foundation           
        ] flags [9].
(Fri Mar  6 13:33:30:712335 2020) [[sssd[p11_child[8855]]]] [do_card] (0x0040): 
No removable slots found.
(Fri Mar  6 13:33:30:712448 2020) [[sssd[p11_child[8855]]]] [main] (0x0040): 
do_work failed.
(Fri Mar  6 13:33:30:712595 2020) [[sssd[p11_child[8855]]]] [main] (0x0020): 
p11_child failed!


BR,
Hristina
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

Reply via email to