On Mon, Jan 25, 2021 at 04:25:55PM -0000, Rudi Dayan wrote:
> Hello,
>
> I would like to implement smartcard authentication to Microsoft AD with sssd
> on Ubuntu 20.04 LTS.
> I am able to login to AD with a password but when I try to use a smartcard,
> after a minute of timeout the password window pops up and even if I put the
> correct password, I get the following error : "Authentication failure".
> When I used kinit using a smartcard with the same user the action succeed and
> I got TGT.
>
> I would appreciate your help on this subject.
> I have attached the configuration files : krb5.conf ,sssd.conf and the log
> file : krb5_child.log
>
> Thank you,
> Rudi
>
>
> #####################################
> krb5.conf
> #####################################
>
> [logging]
> default = FILE:/var/log/krb5libs.log
>
> [libdefaults]
> default_realm = DOMAIN.TEST
> # dns_lookup_realm = true
> # dns_lookup_kdc = true
> ticket_lifetime = 24h #
> renew_lifetime = 7d
> # forwardable = true
> # rdns = false
>
> pkinit_kdc_hostname = DC.DOMAIN.TEST
> # pkinit_allow_upn = true
> pkinit_anchors = DIR:/etc/rootcas/
> pkinit_pool = DIR:/etc/rootcas/
> pkinit_identities = PKCS11:/lib/libsadaptor.so
> default_ccache_name = KEYRING:persistent:%{uid}
> canonicalize = true
>
>
> # The following krb5.conf variables are only for MIT Kerberos.
> # kdc_timesync = 1
> # ccache_type = 4
>
> # proxiable = true
>
> # The following encryption type specification will be used by MIT Kerberos
> # if uncommented. In general, the defaults in the MIT Kerberos code are
> # correct and overriding these specifications only serves to disable new
> # encryption types as they are added, creating interoperability problems.
> #
> # The only time when you might need to uncomment these lines and change
> # the enctypes is if you have local software that will break on ticket
> # caches containing ticket encryption types it doesn't know about (such as
> # old versions of Sun Java).
>
> # default_tgs_enctypes = des3-hmac-sha1
> # default_tkt_enctypes = des3-hmac-sha1
> # permitted_enctypes = des3-hmac-sha1
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
> fcc-mit-ticketflags = true
>
> [realms]
>
> ATHENA.MIT.EDU = {
> kdc = kerberos.mit.edu
> kdc = kerberos-1.mit.edu
> kdc = kerberos-2.mit.edu:88
> admin_server = kerberos.mit.edu
> default_domain = mit.edu
> }
> ZONE.MIT.EDU = {
> kdc = casio.mit.edu
> kdc = seiko.mit.edu
> admin_server = casio.mit.edu
> }
> CSAIL.MIT.EDU = {
> admin_server = kerberos.csail.mit.edu
> default_domain = csail.mit.edu
> }
> IHTFP.ORG = {
> kdc = kerberos.ihtfp.org
> admin_server = kerberos.ihtfp.org
> }
> 1TS.ORG = {
> kdc = kerberos.1ts.org
> admin_server = kerberos.1ts.org
> }
> ANDREW.CMU.EDU = {
> admin_server = kerberos.andrew.cmu.edu
> default_domain = andrew.cmu.edu
> }
> CS.CMU.EDU = {
> kdc = kerberos-1.srv.cs.cmu.edu
> kdc = kerberos-2.srv.cs.cmu.edu
> kdc = kerberos-3.srv.cs.cmu.edu
> admin_server = kerberos.cs.cmu.edu
> }
> DEMENTIA.ORG = {
> kdc = kerberos.dementix.org
> kdc = kerberos2.dementix.org
> admin_server = kerberos.dementix.org
> }
> stanford.edu = {
> kdc = krb5auth1.stanford.edu
> kdc = krb5auth2.stanford.edu
> kdc = krb5auth3.stanford.edu
> master_kdc = krb5auth1.stanford.edu
> admin_server = krb5-admin.stanford.edu
> default_domain = stanford.edu
> }
> UTORONTO.CA = {
> kdc = kerberos1.utoronto.ca
> kdc = kerberos2.utoronto.ca
> kdc = kerberos3.utoronto.ca
> admin_server = kerberos1.utoronto.ca
> default_domain = utoronto.ca
> }
>
>
> [domain_realm]
> .mit.edu = ATHENA.MIT.EDU
> mit.edu = ATHENA.MIT.EDU
> .media.mit.edu = MEDIA-LAB.MIT.EDU
> media.mit.edu = MEDIA-LAB.MIT.EDU
> .csail.mit.edu = CSAIL.MIT.EDU
> csail.mit.edu = CSAIL.MIT.EDU
> .whoi.edu = ATHENA.MIT.EDU
> whoi.edu = ATHENA.MIT.EDU
> .stanford.edu = stanford.edu
> .slac.stanford.edu = SLAC.STANFORD.EDU
> .toronto.edu = UTORONTO.CA
> .utoronto.ca = UTORONTO.CA
>
> ######################
> sssd.conf
> ######################
> [sssd]
> domains = domain.test
> config_file_version = 2
> services = nss, pam
> debug_level = 10
>
> [domain/domain.test]
>
> debug_level = 10
> #
> ad_domain = domain.test
> krb5_realm = DOMAIN.TEST
> realmd_tags = manages-system joined-with-adcli
> access_provider = ad
> auth_provider = ad
> id_provider = ad
> ldap_id_mapping = True
> #
> # cache_credentials = True
> # krb5_store_password_if_offline = True
> #
> use_fully_qualified_names = False
> default_shell = /bin/bash
> fallback_homedir = /home/%u@%d
>
>
> [pam]
> debug_level = 10
> pam_cert_auth = True
>
> #######################
> krb5-child.log
> #######################
>
> Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [main] (0x0400):
> krb5_child started.
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [unpack_buffer]
> (0x1000): total buffer size: [152]
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [unpack_buffer]
> (0x0100): cmd [249] uid [270401103] gid [270400513] validate [true]
> enterprise principal [true] offline [false] UPN [[email protected]]
Hi,
this is the first run of krb5_child where it is figured out which
authentication methods are available ('cmd [249]'). Do you have runs
with 'cmd [241]', which is the actual authentication, in the logs as
well?
bye,
Sumit
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [unpack_buffer]
> (0x0100): ccname: [KEYRING:persistent:270401103] old_ccname:
> [KEYRING:persistent:270401103] keytab: [/etc/krb5.keytab]
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [check_use_fast]
> (0x0100): Not using FAST.
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [become_user]
> (0x0200): Trying to become user [270401103][270400513].
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [main] (0x2000):
> Running as [270401103][270400513].
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [set_lifetime_options]
> (0x0100): No specific renewable lifetime requested.
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [set_lifetime_options]
> (0x0100): No specific lifetime requested.
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]]
> [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [main] (0x0400): Will
> perform pre-auth
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [tgt_req_child]
> (0x1000): Attempting to get a TGT
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]] [get_and_save_tgt]
> (0x0400): Attempting kinit for realm [DOMAIN.TEST]
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]]
> [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874510: Getting
> initial credentials for test_user\@[email protected]
>
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]]
> [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874512: Sending
> unauthenticated request
>
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]]
> [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874513: Sending
> request (229 bytes) to DOMAIN.TEST
>
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]]
> [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874514: Sending
> initial UDP request to dgram 10.0.0.3:88
>
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]]
> [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874515: Received
> answer (197 bytes) from dgram 10.0.0.3:88
>
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]]
> [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874516: Response was
> from master KDC
>
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]]
> [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874517: Received error
> from KDC: -1765328359/Additional pre-authentication required
>
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]]
> [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874520:
> Preauthenticating using KDC method data
>
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]]
> [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874521: Processing
> preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19),
> PA-ENC-TIMESTAMP (2)
>
> (Mon Jan 18 17:44:13 2021) [[sssd[krb5_child[75227]]]]
> [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984653.874522: Selected etype
> info: etype aes256-cts, salt "DOMAIN.TESTtest_user", params ""
>
> (Mon Jan 18 17:44:15 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_responder]
> (0x4000): Got question [pkinit].
> (Mon Jan 18 17:44:15 2021) [[sssd[krb5_child[75227]]]] [answer_pkinit]
> (0x4000): [0] Identity
> [PKCS11:module_name=/lib/libsadaptor.so:slotid=2:token=Crypto Token] flags
> [0].
> (Mon Jan 18 17:44:15 2021) [[sssd[krb5_child[75227]]]] [answer_pkinit]
> (0x4000): Setting pkinit_prompting.
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter]
> (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1]
> EINVAL.
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter]
> (0x4000): Prompt [0][Crypto Token PIN].
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter]
> (0x0020): Cannot handle password prompts.
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]]
> [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291326: PKINIT client
> has no configured identity; giving up
>
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]]
> [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291327: Preauth module
> pkinit (16) (real) returned: -1765328360/Preauthentication failed
>
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]]
> [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291328: PKINIT client
> ignoring draft 9 offer from RFC 4556 KDC
>
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]]
> [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291329: Preauth module
> pkinit (15) (real) returned: -1765328360/Preauthentication failed
>
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter]
> (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1]
> EINVAL.
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter]
> (0x4000): Prompt [0][Password for test_user\@[email protected]].
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [sss_krb5_prompter]
> (0x0020): Cannot handle password prompts.
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]]
> [sss_child_krb5_trace_cb] (0x4000): [75227] 1610984656.291330: Preauth module
> encrypted_timestamp (2) (real) returned: -1765328254/Cannot read password
>
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]]
> [sss_krb5_get_init_creds_password] (0x0020): 1627:
> [-1765328174][Pre-authentication failed: Preauthentication failed]
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [get_and_save_tgt]
> (0x0400): krb5_get_init_creds_password returned [-1765328174] during pre-auth.
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [k5c_send_data]
> (0x0200): Received error code 0
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [pack_response_packet]
> (0x2000): response packet size: [12]
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [k5c_send_data]
> (0x4000): Response sent.
> (Mon Jan 18 17:44:16 2021) [[sssd[krb5_child[75227]]]] [main] (0x0400):
> krb5_child completed successfully
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
