On Mon, May 18, 2020 at 02:09:38PM -0000, Gunnar Hilling wrote: > Hi! > I'm trying to set up smart card authentication using sssd with user's info > stored in active directory. > The setup is already working but the authentication is only locally. As I > understand it should be possible to acquire a kerberos ticket during > authentication? > Is there a working example for such a setup? > I found > https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_authentication_pkinit.html > but I'm not really sure how krb5.conf should actually be configured...
Hi, 'pkinit_anchor' is most important and should point the CA certificate bundles in PAM format which contain all needed certificates to validate the user certificate and the AD DC certificate. Typically the CA certificate for the latter is the CA certificate of the AD Certificate Service. With AD I would suggest to start with 'pkinit_eku_checking = none' and 'pkinit_kdc_hostname' should be added multiple times with the fully-qualified name of every AD DC you are expecting a reply from. If you set 'debug_level = 9' in the [domain/...] section of sssd.conf the krb5_child.log file will contain some tracing information which might tell you where PKINIT got stuck. bye, Sumit > Kind regards, > Gunnar > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
