Hi André, Thanks to the support of VMware (which provides the pk11 module we use), we realized that as we have load balancing for our DC’s, so we ended up with a mismatch between the certificate and the given host configured there.
I think the documentation could be a bit clearer here, especially when it comes to the typical situation where load balancing is used. But there was more: SHA1 seems to be required as well, and this is a potential problem that users might not think of, and I never saw any reference to it on the logs, even with debug_level=9. This was a situation that endured for months until we got a clear idea on how to make it work. To make things worse, the coupling of krb5-workstation and krb5-pkinit on Rhel9 made things worse, as we got it working well on RHEL 8 before we moved to RHEL 9. In short, there is a lot that can go wrong, and there’s barely enough information out there. Best, Francis > On Sep 22, 2023, at 15:48, Andre Boscatto <abosc...@redhat.com> wrote: > > Hi Francis, > > Thanks for sharing the solution and I'm happy you found it :) > > May I ask how did you reach there? I mean, do we have a lack of > documentation? Is it not clear enough? Just looking for room for improvement > here (if any). > > Kind regards > ------------------------------------ > André Boscatto > Product Owner > Red Hat <https://www.redhat.com/> > <https://www.redhat.com/> > > On Thu, 21 Sept 2023 at 14:23, Francis Augusto Medeiros-Logeay > <r...@med-lo.eu <mailto:r...@med-lo.eu>> wrote: >> >> Just for the record, we found the problem. It seems that all kdc hosts >> must be explicitly configured for pkinit_kdc_hostmame - ie, one line for >> each host. >> >> This fixed the issue for us. >> >> Best, >> Francis >> >> On 2023-09-13 19:06, Francis Augusto Medeiros-Logeay wrote: >> > Hi, >> > >> > Ok, I don't know where to start, but let's see if I can explain this. >> > >> > We use a product that uses certificates (a la smart cards) to log in >> > RHEL 8/9 on behalf of users. >> > Sumit has helped me in June but we didn't finish debugging this. >> > >> > The bottom of the issue is that, when krb5-pkinit is present on the >> > system, the certificates do not work. When it isn't, it works. >> > >> > On RHEL 8, for example, it works right away, after I configure >> > sssd.conf and install the CA certificates. But Sumit asked me if >> > krb5-pkinit was installed, and it wasn't. When I install it, it breaks >> > the whole thing. >> > >> > On RHEL 9, krb5-pkinit comes pre-installed. So the certificate-based >> > authentication doesn't work. I then remove the package. It then starts >> > to work. >> > >> > Is there something I'm missing here? Should I somehow configure >> > krb5-pkinit in a way that I can get my certificate/smartcard >> > authentication to work with krb5-pkinit installed? Are there any >> > security issues to have that authentication working without the >> > krb5-init? >> > >> > Best, >> > >> > Francis >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> <mailto:sssd-users@lists.fedorahosted.org> >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> <mailto:sssd-users-le...@lists.fedorahosted.org> >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
