On Thu, Apr 02, 2020 at 03:32:43PM +0200, mbalembo wrote: > Hello, > > I'm having trouble adding etoken support to SSSD/openldap on a gentoo. > > I have setup nssdb in /etc/pki/nssdb and add Safenet library to access > etoken. > I can successfully get the certificate in token with : > > # /usr/libexec/sssd/p11_child --pre --nssdb=/etc/pki/CA/
Hi, which version of SSSD are you using? I guess you've meant '--nssdb=/etc/pki/nssdb' in the example above? > > > now, to sssd itself ; > I'm trying an ssh login, and the output on term is : > > # ssh b...@example.com > Please enter smart card > > Please enter smart card > > Please enter smart card > > b...@example.com: Permission denied (publickey,keyboard-interactive). With ssh everything is different, please check e.g. https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_authentication_step1.html about how to use Smartcards with ssh. Typically the Smartcard reader is not attached to the host you want to authenticate to and as a result SSSD cannot handle the Smartcard authentication in this case. > > > I can see in p11_child.log that, it use nssdb to (successfully !) connect to > the smartcard. > I can see the correct label, the correct subject. > The keyId is found (I don't understand why i need it and I'm not sure if the > value i picked is right ?) > Anyway, I get my uri, everything seem fine on this side. > > Looking at sss_LDAP.log, i can see the request, everything look cool, i got > : > > sssd.dataprovider.pamHandler: Success > > On the other side, in sss_pam.log i can see the same request but it end with > : > > [pam_dp_send_req_done] (0x0200): received: [28 (Module inconnu)][LDAP] > (..) > [pam_eval_prompting_config] (0x4000): No prompting configuration > found. > (Thu Apr 2 15:23:08 2020) [sssd[pam]] [pam_reply] (0x0200): blen: 21 > (Thu Apr 2 15:23:08 2020) [sssd[pam]] [pam_reply] (0x0200): > Returning [28]: Module inconnu to the client > (Thu Apr 2 15:23:08 2020) [sssd[pam]] [client_recv] (0x0200): > Client disconnected! > > I'm confused at how to understand this. > > The sssd.conf is attached. > > Thanks, > Marc > > > [sssd] > config_file_version = 2 > reconnection_retries = 3 > services = nss, pam > # SSSD will not start if you do not configure any domains. > # Add new domain configurations as [domain/<NAME>] sections, and > # then add the list of domains (in the order you want them to be > # queried) to the "domains" attribute below and uncomment it. > domains = LDAP > certificate_verification = no_oscp > #certificate_verification = no_verification > debug_level = 6 > > [nss] > #filter_users = root,admin,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd > > [pam] > pam_cert_auth = True > pam_p11_allowed_services = +sddm, +sddm-helper, +kde, +sshd Please do not 'sshd' here as mentioned above this would not work. For the first steps I would recommend to try to log in on a text console or try after logging in to the host where the Smartcard reader is connected to run 'su' or 'sudo'. I have not tested sddm or kdm, so I'm not sure if they should work out of the box. Feel free to send the SSSD logs if Smartcard authentication with /bin/login, su or sudo still does not work. HTH bye, Sumit > p11_wait_for_card_timeout = 10 > p11_child_timeout = 10 > #debug_level = 6 > > [domain/files] > id_provider = files > > # Example LDAP domain > [domain/LDAP] > id_provider = ldap > auth_provider = ldap > # ldap_schema can be set to "rfc2307", which stores group member names in the > # "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in > # the "member" attribute. If you do not know this value, ask your LDAP > # administrator. > ldap_schema = rfc2307 > ldap_uri = ldap://example.com > ldap_search_base = dc=example,dc=com > #ldap_tls_reqcert = never > filter = "(&(objectClass=posixAccount)(uid=%s))" > ldap_user_certificate = userCertificate;binary > # Note that enabling enumeration will have a moderate performance impact. > # Consequently, the default value for enumeration is FALSE. > # Refer to the sssd.conf man page for full details. > enumerate = true > # Allow offline logins by locally storing password hashes (default: false). > cache_credentials = true > > [certmap/LDAP/bar] > #matchrule = <ISSUER>^C = FR, ST = France, O = Example, CN = Example > Intermediate CA$ > matchrule = <SUBJECT>^CN=bar,O=Example,ST=France,C=FR$ > maprule = (userCertificate;binary={cert!bin}) > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org