[SSSD-users] Re: Smartcard active directory authentication in RHEL 8.3 workstation.

[Gary Letth]

So I installed the krb5-pkinit package and added the following lines to 
sssd.conf: 
[sssd]
certificate_verification = no_verification

[domain/xxxxx.xxxxx.net]
krb5_use_enterprise_principal = true <- Recommendation from Redhat support.

[certmap/xxxxx.xxxxx.net/smartcard]
matchrule = <ISSUER>^CN=XXXXX-CA,DC=XXXXX,DC=XXXXX,DC=NET
maprule = 
(|(userPrincipalName={subject_principal})(samAccountName={subject_principal.short_name}))
domains = xxxx.xxxxx.net
priority = 10

The full certificate chain from the CA is stored in 
/etc/sssd/pki/sssd_auth_ca_db.pem

This is the resulting krb5_child.log

(2021-05-12 10:49:57): [krb5_child[2004618]] [main] (0x0400): krb5_child 
started.
(2021-05-12 10:49:57): [krb5_child[2004618]] [unpack_buffer] (0x1000): total 
buffer size: [195]
(2021-05-12 10:49:57): [krb5_child[2004618]] [unpack_buffer] (0x0100): cmd 
[241] uid [57252887] gid [57200513] validate [true] enterprise principal [true] 
offline [false] UPN [usern...@xxxxx.xxxxx.net]
(2021-05-12 10:49:57): [krb5_child[2004618]] [unpack_buffer] (0x2000): No old 
ccache
(2021-05-12 10:49:57): [krb5_child[2004618]] [unpack_buffer] (0x0100): ccname: 
[KCM:] old_ccname: [not set] keytab: [/etc/krb5.keytab]
(2021-05-12 10:49:57): [krb5_child[2004618]] [check_use_fast] (0x0100): Not 
using FAST.
(2021-05-12 10:49:57): [krb5_child[2004618]] [k5c_precreate_ccache] (0x4000): 
Recreating ccache
(2021-05-12 10:49:57): [krb5_child[2004618]] [privileged_krb5_setup] (0x0080): 
Cannot open the PAC responder socket
(2021-05-12 10:49:57): [krb5_child[2004618]] [switch_creds] (0x0200): Switch 
user to [0][0].
(2021-05-12 10:49:57): [krb5_child[2004618]] [switch_creds] (0x0200): Already 
user [0].
(2021-05-12 10:49:57): [krb5_child[2004618]] [main] (0x2000): Running as [0][0].
(2021-05-12 10:49:57): [krb5_child[2004618]] [set_lifetime_options] (0x0100): 
No specific renewable lifetime requested.
(2021-05-12 10:49:57): [krb5_child[2004618]] [set_lifetime_options] (0x0100): 
No specific lifetime requested.
(2021-05-12 10:49:57): [krb5_child[2004618]] [set_canonicalize_option] 
(0x0100): Canonicalization is set to [true]
(2021-05-12 10:49:57): [krb5_child[2004618]] [main] (0x0400): Will perform 
online auth
(2021-05-12 10:49:57): [krb5_child[2004618]] [tgt_req_child] (0x1000): 
Attempting to get a TGT
(2021-05-12 10:49:57): [krb5_child[2004618]] [get_and_save_tgt] (0x4000): Found 
Smartcard credentials, trying pkinit.
(2021-05-12 10:49:57): [krb5_child[2004618]] [get_pkinit_identity] (0x4000): 
Got [IDPrime (basic)][/usr/lib64/pkcs11/libiidp11.so].
(2021-05-12 10:49:57): [krb5_child[2004618]] [get_pkinit_identity] (0x4000): 
Using pkinit identity 
[PKCS11:module_name=/usr/lib64/pkcs11/libiidp11.so:token=IDPrime 
(basic):certid=800E531104A944C4].
(2021-05-12 10:49:57): [krb5_child[2004618]] [get_and_save_tgt] (0x0400): 
Attempting kinit for realm [XXXXX.XXXXX.NET]
(2021-05-12 10:49:57): [krb5_child[2004618]] [sss_child_krb5_trace_cb] 
(0x4000): [2004618] 1620809397.219647: Getting initial credentials for 
username\@xxxxx.xxxxx....@xxxxx.xxxxx.net

(2021-05-12 10:49:57): [krb5_child[2004618]] [sss_child_krb5_trace_cb] 
(0x4000): [2004618] 1620809397.219649: Sending unauthenticated request

(2021-05-12 10:49:57): [krb5_child[2004618]] [sss_child_krb5_trace_cb] 
(0x4000): [2004618] 1620809397.219650: Sending request (244 bytes) to 
XXXXX.XXXXX.NET

(2021-05-12 10:49:57): [krb5_child[2004618]] [sss_child_krb5_trace_cb] 
(0x4000): [2004618] 1620809397.219651: Sending initial UDP request to dgram 
10.184.199.13:88

(2021-05-12 10:49:57): [krb5_child[2004618]] [sss_child_krb5_trace_cb] 
(0x4000): [2004618] 1620809397.219652: Received answer (215 bytes) from dgram 
10.184.199.13:88

(2021-05-12 10:49:57): [krb5_child[2004618]] [sss_child_krb5_trace_cb] 
(0x4000): [2004618] 1620809397.219653: Response was from master KDC

(2021-05-12 10:49:57): [krb5_child[2004618]] [sss_child_krb5_trace_cb] 
(0x4000): [2004618] 1620809397.219654: Received error from KDC: 
-1765328359/Additional pre-authentication required

(2021-05-12 10:49:57): [krb5_child[2004618]] [sss_child_krb5_trace_cb] 
(0x4000): [2004618] 1620809397.219657: Preauthenticating using KDC method data

(2021-05-12 10:49:57): [krb5_child[2004618]] [sss_child_krb5_trace_cb] 
(0x4000): [2004618] 1620809397.219658: Processing preauth types: PA-PK-AS-REQ 
(16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2)

(2021-05-12 10:49:57): [krb5_child[2004618]] [sss_child_krb5_trace_cb] 
(0x4000): [2004618] 1620809397.219659: Selected etype info: etype aes256-cts, 
salt "XXXXX.XXXXX.NETusername", params ""

(2021-05-12 10:49:57): [krb5_child[2004618]] [sss_krb5_responder] (0x4000): Got 
question [pkinit].
(2021-05-12 10:49:57): [krb5_child[2004618]] [answer_pkinit] (0x4000): [0] 
Identity 
[PKCS11:module_name=/usr/lib64/pkcs11/libiidp11.so:slotid=1:token=IDPrime 
(basic)] flags [0].
(2021-05-12 10:49:57): [krb5_child[2004618]] [answer_pkinit] (0x4000): Setting 
pkinit_prompting.
(2021-05-12 10:49:57): [krb5_child[2004618]] [pkinit_identity_matches] 
(0x4000): Found [module_name=/usr/lib64/pkcs11/libiidp11.so] in identity 
[PKCS11:module_name=/usr/lib64/pkcs11/libiidp11.so:slotid=1:token=IDPrime 
(basic)].
(2021-05-12 10:49:57): [krb5_child[2004618]] [pkinit_identity_matches] 
(0x4000): Found [token=IDPrime (basic)] in identity 
[PKCS11:module_name=/usr/lib64/pkcs11/libiidp11.so:slotid=1:token=IDPrime 
(basic)].
(2021-05-12 10:49:58): [krb5_child[2004618]] [sss_child_krb5_trace_cb] 
(0x4000): [2004618] 1620809398.178582: PKINIT loading CA certs and CRLs from 
FILE

(2021-05-12 10:49:58): [krb5_child[2004618]] [sss_child_krb5_trace_cb] 
(0x4000): [2004618] 1620809398.178583: PKINIT client computed kdc-req-body 
checksum 9/EE2535428039B767876E61A7EBE92F08F612D298

(2021-05-12 10:49:58): [krb5_child[2004618]] [sss_child_krb5_trace_cb] 
(0x4000): [2004618] 1620809398.178585: PKINIT client making DH request

(2021-05-12 10:49:58): [krb5_child[2004618]] [sss_child_krb5_trace_cb] 
(0x4000): [2004618] 1620809398.178586: PKINIT OpenSSL error: Failed to verify 
own certificate (depth 0): unable to get local issuer certificate

(2021-05-12 10:49:58): [krb5_child[2004618]] [sss_child_krb5_trace_cb] 
(0x4000): [2004618] 1620809398.178587: Preauth module pkinit (16) (real) 
returned: -1765328360/Failed to verify own certificate (depth 0): unable to get 
local issuer certificate

(2021-05-12 10:49:58): [krb5_child[2004618]] [sss_krb5_prompter] (0x4000): 
sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(2021-05-12 10:49:58): [krb5_child[2004618]] [sss_krb5_prompter] (0x4000): 
Prompt [0][Password for username\@xxxxx.xxxxx....@xxxxx.xxxxx.net].
(2021-05-12 10:49:58): [krb5_child[2004618]] [sss_krb5_prompter] (0x0020): 
Cannot handle password prompts.
(2021-05-12 10:49:58): [krb5_child[2004618]] [sss_child_krb5_trace_cb] 
(0x4000): [2004618] 1620809398.178588: Preauth module encrypted_timestamp (2) 
(real) returned: -1765328254/Cannot read password

(2021-05-12 10:49:58): [krb5_child[2004618]] [sss_krb5_get_init_creds_password] 
(0x0020): 1627: [-1765328174][Pre-authentication failed: Failed to verify own 
certificate (depth 0): unable to get local issuer certificate]
(2021-05-12 10:49:58): [krb5_child[2004618]] [get_and_save_tgt] (0x0020): 1704: 
[-1765328174][Pre-authentication failed: Failed to verify own certificate 
(depth 0): unable to get local issuer certificate]
(2021-05-12 10:49:58): [krb5_child[2004618]] [map_krb5_error] (0x0020): 1833: 
[-1765328174][Pre-authentication failed: Failed to verify own certificate 
(depth 0): unable to get local issuer certificate]
(2021-05-12 10:49:58): [krb5_child[2004618]] [k5c_send_data] (0x0200): Received 
error code 1432158222
(2021-05-12 10:49:58): [krb5_child[2004618]] [pack_response_packet] (0x2000): 
response packet size: [4]
(2021-05-12 10:49:58): [krb5_child[2004618]] [k5c_send_data] (0x4000): Response 
sent.
(2021-05-12 10:49:58): [krb5_child[2004618]] [main] (0x0400): krb5_child 
completed successfully
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure