Am Wed, May 05, 2021 at 09:45:27AM -0000 schrieb Gary Letth:
> I'm trying to figure out how to get smartcard-authentication working
> in RHEL 8.3 when the computer is joined to an active directory domain.
> So far I've managed to configure local authentication using a smart
> card by mapping a specific local account to a upn in the SAN in the
> certificate. For obvious reasons not easy to use with a domain
> account. Anyone with experience on the matter?
> I've followed the official RHEL guide, but the certificate on the
> smart card is currently not stored in the userCertificate attribute in
> active directory, so I really need some way to map the active
> directory account to the upn specified in the Subject alternate name
> in the certificate.
> The customer is currently doing that in Windows. As long as the
> certificate is verified against their CA and the user name matches
> what's in the SAN, the user is logged on. How can I do this on a RHEL
> 8.3 workstation?
Hi,
you can add a certificate mapping and matching rule, see man sssd.conf
and man sss-certmap for details. In you case something like
[certmap/my.domain/rule_name]
matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$
maprule =
(|(userPrincipalName={subject_principal})(samAccountName={subject_principal.short_name}))
domains = my.domain
priority = 10
where you replace my.domain with the proper domain name of your
environment.
> I tried following the official guide at Redhat, adding the user
> certificate to the userCertificate attribute in Active directory, but
> it doesn't seem to work. As soon as i use authselect to enable
> smartcard logon I end up with a pin prompt without entering a user
> name and entering the correct pin for the card doesn't work.
Only seeing the PIN prompt is expected, this is a feature of GDM.
Most probably authentication fails while trying to get the Kerberos
ticket with the help of the Smartcard because AD requires some special
setting in krb5.conf. To debug this please add 'debug_level = 9' to the
[domain/...] section, restart SSSD and try again. The check
krb5_child.log or send it here together with your /etc/krb5.conf.
HTH
bye,
Sumit
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
