Hello, this looks very similar to a recent thread "Can't login with smartcard" - `libsadaptor.so` (on Ubuntu) again. Can you provide any details about this module? I wasn't able to find anything.
> What's weird to me is that `modutil -list` shows slot 0 as empty and slot 1 > as not empty, and then `p11_child --pre` doesn't try to use slot 1. I think you hit a known issue: https://github.com/SSSD/sssd/issues/5025 Could you please check if a work around described in the "Comment from sbose at 2019-08-06 11:09:19" helps? On Tue, Mar 16, 2021 at 9:39 PM Assaf Morami <[email protected]> wrote: > > Hello everyone. > > I'm trying to configure smart card login of active directory users on an > ubuntu machine. > I'm following this guide: > https://scriptech.io/linux-enable-smartcard-authentication-against-active-directory-and-generate-tgt-using-pkinit > > But for me the opensc library cannot talk with my card and I'm using a > library that my card provider gave my. My issue right now is that `p11_child > --pre --nssdb=/etc/pki/nssdb` fails to pull the certificate from my smart > card. > > I'm able to log in with AD users and their smart cards using `kinit` and > `ksu`, so I know the cards are okay. > > What's weird to me is that `modutil -list` shows slot 0 as empty and slot 1 > as not empty, and then `p11_child --pre` doesn't try to use slot 1. Maybe > p11_child thinks that if slot 0 is empty then slot 1 must be empty too? > > Please help! > > Here are the relevant logs: > ``` > # modutil -dbdir nssdb -list > > Listing of PKCS #11 Modules > ---------------------------------------------------- > 1. NSS Internal #11 Module > > uri: pkcs11: library-manufacturer=Mozilla%20Foundation; > library-description=NSS%20Internal%20Crypto%20Services;library > slots: 2 slots attached > status: loaded > > slot: NSS Internal Cryptographic Services > token: NSS Generic Crypto Services > uri: > pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 > > slot: NSS User Private Key and Certificate Services > token: NSS Certificate DB > uri: > pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation; > serial=0000000000000000;model=NSS%203 > > 2. MyTest > > library name: mylib.so > uri: > pkcs11:library-manufacturer=Boring%20Ent.;library-description=Cryptokit%20Extended%20Version;libversion=5.3 > slots: 2 slots attached > status: loaded > > slot: [EMPTY] > token: > uri: pkcs11: > > slot: Athena ASE IIIe (SBR069-00000) 00 00 > token: 918 > uri: > pkcs11:token=918;manufacturer=Boring%20Ent.;serial=0349B7D30E11024G;model=PKISmartCard%20(A) > ``` > > ``` > # p11_child --pre --nssdb=nssdb -d=9 > > [main] (0x0400): p11_child started. > [main] (0x2000): Running in [pre-auth] mode. > [main] (0x2000): Running with effective IDs: [0][0]. > [do_card] (0x4000): Default Module List: > [do_card] (0x4000): common name: INSS Internal PKCS #11 > [do_card] (0x4000): dll name: [(null)). > [do_card] (0x4000): common name: [MyTest] > [do_card] (0x4000): dll name: [Libsadaptor.so]. > [do_card] (0x4000): Dead Module List: > [do_card] (0x4000): DB Module List: > [do_card] (ex4000): common name: [NSS Internal Module]. > [do_card] (0x4000): dll name: [(null)]. > [do_card] (0x4000): Description [NSS Internal Cryptographic Services Mozilla > Foundation] Manufacturer [Mozilla Foundation] flags [9] removable [false] > token present [true]. > [do_card] (0x4000): Description [NSS User Private Key and Certificate > Services Mozilla Foundation] Manufacturer [Mozilla Foundation] flags [1] > removable [false] token present [true]. > [do_card] (0x4000): Description [[EMPTY] Boring Ent.] Manufacturer [Boring > Ent.] flags [2] removable [true] token present [false]. > [do_card] (0x4000): Token not present. > [main] (0x0040): do-work failed. > [main] (Ox0020): p11_child failed! > ``` > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
